Your message dated Tue, 18 May 2010 23:33:08 +0900
with message-id <20100518143308.gy28...@gamma.logic.tuwien.ac.at>
and subject line Re: Bug#582116: texlive-bin: CVE-2010-0829 multiple array 
index errors
has caused the Debian Bug report #582116,
regarding texlive-bin: CVE-2010-0829 multiple array index errors
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
582116: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582116
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: texlive-bin
Severity: grave
Tags: security

Hi,

the following CVE (Common Vulnerabilities & Exposures) id was
published for texlive-bin:

CVE-2010-0829[0]:
| Multiple array index errors in set.c in dvipng 1.11 and 1.12, and
| teTeX, allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a malformed
| DVI file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829
    http://security-tracker.debian.net/tracker/CVE-2010-0829

Cheers,

--Seb



--- End Message ---
--- Begin Message ---
On Di, 18 Mai 2010, Sebastien Delafond wrote:
> CVE-2010-0829[0]:
> | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and
> | teTeX, allow remote attackers to cause a denial of service
> | (application crash) or possibly execute arbitrary code via a malformed
> | DVI file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

And could you *PLEASE* verify *before* submitting a grave bug that this
actually applies to the pacakge?????????????????????????????

Ever tried a simple incantation like
        dlocate dvipng
????

texlive (upstream) does ship dvipng, but in Debian we do NOT ship 
dvipng, this has its separate package.

So as long as you have more convincing arguments but the 
        "... and teTeX ..."
I am closing this bug.

Thanks for putting rubbish check work onto me.

> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829

Nothing there mentions TeX Live

Furthermore, the page 
        http://security-tracker.debian.org/tracker/CVE-2010-0829
is also rubbish: It mentions:
texlive-bin (PTS)       etch    2005.dfsg.2-12  vulnerable
        etch-backports  2007.dfsg.2-3~bpo40+1   vulnerable
        lenny   2007.dfsg.2-4+lenny2    vulnerable
        squeeze, sid    2009-6  vulnerable

But nobody explains what there is vulnerable....

arggggg.....


Have a nice day

Norbert
------------------------------------------------------------------------
Norbert Preining            prein...@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
TIMBLE (vb.)
(Of small nasty children.) To fail over very gently, look around to
see who's about, and then yell blue murder.
                        --- Douglas Adams, The Meaning of Liff


--- End Message ---

Reply via email to