Your message dated Tue, 18 May 2010 23:33:08 +0900
with message-id <20100518143308.gy28...@gamma.logic.tuwien.ac.at>
and subject line Re: Bug#582116: texlive-bin: CVE-2010-0829 multiple array
index errors
has caused the Debian Bug report #582116,
regarding texlive-bin: CVE-2010-0829 multiple array index errors
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
582116: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582116
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: texlive-bin
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for texlive-bin:
CVE-2010-0829[0]:
| Multiple array index errors in set.c in dvipng 1.11 and 1.12, and
| teTeX, allow remote attackers to cause a denial of service
| (application crash) or possibly execute arbitrary code via a malformed
| DVI file.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829
http://security-tracker.debian.net/tracker/CVE-2010-0829
Cheers,
--Seb
--- End Message ---
--- Begin Message ---
On Di, 18 Mai 2010, Sebastien Delafond wrote:
> CVE-2010-0829[0]:
> | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and
> | teTeX, allow remote attackers to cause a denial of service
> | (application crash) or possibly execute arbitrary code via a malformed
> | DVI file.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
And could you *PLEASE* verify *before* submitting a grave bug that this
actually applies to the pacakge?????????????????????????????
Ever tried a simple incantation like
dlocate dvipng
????
texlive (upstream) does ship dvipng, but in Debian we do NOT ship
dvipng, this has its separate package.
So as long as you have more convincing arguments but the
"... and teTeX ..."
I am closing this bug.
Thanks for putting rubbish check work onto me.
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829
Nothing there mentions TeX Live
Furthermore, the page
http://security-tracker.debian.org/tracker/CVE-2010-0829
is also rubbish: It mentions:
texlive-bin (PTS) etch 2005.dfsg.2-12 vulnerable
etch-backports 2007.dfsg.2-3~bpo40+1 vulnerable
lenny 2007.dfsg.2-4+lenny2 vulnerable
squeeze, sid 2009-6 vulnerable
But nobody explains what there is vulnerable....
arggggg.....
Have a nice day
Norbert
------------------------------------------------------------------------
Norbert Preining prein...@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
TIMBLE (vb.)
(Of small nasty children.) To fail over very gently, look around to
see who's about, and then yell blue murder.
--- Douglas Adams, The Meaning of Liff
--- End Message ---