Your message dated Sun, 11 Jul 2010 19:55:38 +0000
with message-id <e1oy2ck-0006th...@franck.debian.org>
and subject line Bug#587700: fixed in python-cjson 1.0.5-1+lenny1
has caused the Debian Bug report #587700,
regarding python-cjson: CVE-2010-1666: buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
587700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587700
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-cjson
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for
python-cjson.
Quoting the original bug report[1]:
> There is a buffer overrun in cjson 1.0.5, on UCS4 builds. The string length
> is only resized for wide unicode characters if there is less than 12 bytes
> of space left. Padding with narrow-but-escaped characters prevents string
> resizing.
>
> The following line exhibits the overrun (it *may* segfault or display
garbage, etc):
> >>> cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E\u1234\u1234\u12
> >>> 34\u1234\u1234\u1234')
>
> (u'\U0001D11E\u1234' also breaks, but sometimes goes undetected.)
This issue has been assigned CVE-2010-1666.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
If possible, please provide packages for stable (to be released via the
security archive.)
For further information see:
[1]https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: python-cjson
Source-Version: 1.0.5-1+lenny1
We believe that the bug you reported is fixed in the latest version of
python-cjson, which is due to be installed in the Debian FTP archive:
python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
to main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
python-cjson_1.0.5-1+lenny1.diff.gz
to main/p/python-cjson/python-cjson_1.0.5-1+lenny1.diff.gz
python-cjson_1.0.5-1+lenny1.dsc
to main/p/python-cjson/python-cjson_1.0.5-1+lenny1.dsc
python-cjson_1.0.5-1+lenny1_amd64.deb
to main/p/python-cjson/python-cjson_1.0.5-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 587...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org>
(supplier of updated python-cjson package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Jul 2010 15:02:09 +0200
Source: python-cjson
Binary: python-cjson python-cjson-dbg
Architecture: source amd64
Version: 1.0.5-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Python Modules Team
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Debian Python Modules Team
<python-modules-t...@lists.alioth.debian.org>
Description:
python-cjson - Very fast JSON encoder/decoder for Python
python-cjson-dbg - Very fast JSON encoder/decoder for Python (debug extension)
Closes: 587700
Changes:
python-cjson (1.0.5-1+lenny1) stable-security; urgency=high
.
[ Christian Kastner ]
* debian/rules:
- Use simple-patchsys from cdbs for patch below
* debian/patches:
- Include patch 0001-fix-for-CVE-2010-1666 from unstable:
Matt Giuca discovered a buffer overflow when encoding wide unicode
characters on UCS4 builds. This fix was taken from Ubuntu
LP #585274, which he provided.
Closes: #587700, Fixes: CVE-2010-1666
Checksums-Sha1:
8ddfe9fc940ac0b0e568e29b32b118918cfe697c 1222 python-cjson_1.0.5-1+lenny1.dsc
a00519debfdc6dcc33acfe68dc10ee4866fdcd8b 10978 python-cjson_1.0.5.orig.tar.gz
d6af8aeac422fcce82fe9051407047dc7f38b87a 3892
python-cjson_1.0.5-1+lenny1.diff.gz
a449ee5a631fcce7bdf62110ef68e723c8694fa4 16882
python-cjson_1.0.5-1+lenny1_amd64.deb
834afa577d182f3a491dced61df665e109143ce6 73264
python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
Checksums-Sha256:
ecbf31b27949eecc051654a59edba2a6210a818e3f07492ad7c92dd841a60d10 1222
python-cjson_1.0.5-1+lenny1.dsc
85bbe7a9fb6617e24bb4dbef528af8ef6eae07f8809dcd05ec926142feca7714 10978
python-cjson_1.0.5.orig.tar.gz
efe2e849f67368bc3b2595dcd8600e0c67d44d31a70d498978592a21b976f9a1 3892
python-cjson_1.0.5-1+lenny1.diff.gz
0a9e8912c392706346bd710e1fa866c34032a01dc995a1fa1d0d11f690ab51a2 16882
python-cjson_1.0.5-1+lenny1_amd64.deb
c6856590228009788b94d91773210a2f45af094199c8aebf4a65c99703ea5e36 73264
python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
Files:
64a01e8f53b2ede46a66bca6ac19b693 1222 python optional
python-cjson_1.0.5-1+lenny1.dsc
4d55b66ecdf0300313af9d030d9644a3 10978 python optional
python-cjson_1.0.5.orig.tar.gz
106f2da130d255e076a7bf8f5c58a593 3892 python optional
python-cjson_1.0.5-1+lenny1.diff.gz
7fca836c1f1ddaf1a3cb689ab18e9ed7 16882 python optional
python-cjson_1.0.5-1+lenny1_amd64.deb
058c96847871f8a1850c2e6b785b38d5 73264 python optional
python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkw4/GIACgkQBnqtBMk7/3mkjgCglWzfigraLTA7fb4XiuMbUy3K
7s4AoLTIQLzcEWIKGypchOr3M7CPCZj4
=EAzx
-----END PGP SIGNATURE-----
--- End Message ---
