Your message dated Wed, 04 Aug 2010 04:17:23 +0000
with message-id <e1ogvpv-0003gc...@franck.debian.org>
and subject line Bug#591552: fixed in cabextract 1.3-1
has caused the Debian Bug report #591552,
regarding Two security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
591552: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591552
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cabextract
Version: 1.2-4
Severity: grave
Tags: security
The following was sent to us by Red Hat:
1, Infinite loop in MS-ZIP and Quantum decoders (minor issue):
(CVE-2010-2800)
A deficiency has been reported in the way cabextract extracted
certain Cabinet (*.cab) files, using the MZ-ZIP and Quantum decompressors.
If a local user was tricked into opening a specially-crafted *.cab
file, it could lead to infinite loop.
References:
[1] http://bugs.gentoo.org/show_bug.cgi?id=329891
Upstream patches:
[2]
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=90
[3]
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=95
[4]
http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/
2, Integer wrap-around (crash) by processing certain *.cab files in test
archive mode
(CVE-2010-2801)
An integer wrap-around flaw has been reported in the way cabextract processed
certain Cabinet (*.cab) archive files. If a local user was tricked into opening
a specially-crafted *.cab archive in test archive mode, it could lead to
cabextract
executable crash.
References:
[1] http://bugs.gentoo.org/show_bug.cgi?id=329891
Upstream patches:
[2]
http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/qtmd.c?r1=114&r2=113
[3]
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=118
I'll update CVE-2010-2801 for stable-security, CVE-2010-2800 is borderline of a
security
issue.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages cabextract depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
cabextract recommends no packages.
cabextract suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: cabextract
Source-Version: 1.3-1
We believe that the bug you reported is fixed in the latest version of
cabextract, which is due to be installed in the Debian FTP archive:
cabextract_1.3-1.debian.tar.gz
to main/c/cabextract/cabextract_1.3-1.debian.tar.gz
cabextract_1.3-1.dsc
to main/c/cabextract/cabextract_1.3-1.dsc
cabextract_1.3-1_i386.deb
to main/c/cabextract/cabextract_1.3-1_i386.deb
cabextract_1.3.orig.tar.gz
to main/c/cabextract/cabextract_1.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 591...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Sharkey <shar...@debian.org> (supplier of updated cabextract package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 03 Aug 2010 23:38:56 -0400
Source: cabextract
Binary: cabextract
Architecture: source i386
Version: 1.3-1
Distribution: unstable
Urgency: low
Maintainer: Eric Sharkey <shar...@debian.org>
Changed-By: Eric Sharkey <shar...@debian.org>
Description:
cabextract - a program to extract Microsoft Cabinet files
Closes: 591552
Changes:
cabextract (1.3-1) unstable; urgency=low
.
* New upstream version: Closes: #591552
Checksums-Sha1:
7550c147052db27aadbe923fbb50e9471e7b243c 993 cabextract_1.3-1.dsc
f00ffc4168855b7ef684594614f7242d77540441 218454 cabextract_1.3.orig.tar.gz
c73861ac8401489b7b7ef5d86d0aaf410a26f7f2 6997 cabextract_1.3-1.debian.tar.gz
7c8e5474e1f5d33c85272bc21448513bbbc3e594 48970 cabextract_1.3-1_i386.deb
Checksums-Sha256:
27320c7d581edb226ce5291199609c6fda28ee1915340077d6403cc10651fdd7 993
cabextract_1.3-1.dsc
3b62086d0e7b5fd2d649dac09b7cacb36c02acaff5bbfcea5fffe48cd1bc1739 218454
cabextract_1.3.orig.tar.gz
7b931203203fba13f7d4623386aeb76b8906ca5e7f10f0d239e1355e7650d65f 6997
cabextract_1.3-1.debian.tar.gz
cccc69e48bd866859930c6fae7d05f83070bf600a3c6e7be64a723aa2942f24a 48970
cabextract_1.3-1_i386.deb
Files:
e78c4cc4b035a81aa3b2cbaf93f308a3 993 utils optional cabextract_1.3-1.dsc
dd520b9d6896a963b01f19c647d5f206 218454 utils optional
cabextract_1.3.orig.tar.gz
dbc2e021683001adc15cc7fb0fc12bf1 6997 utils optional
cabextract_1.3-1.debian.tar.gz
d29d76365ab3c19042c7761e1752ebf7 48970 utils optional cabextract_1.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxY5LUACgkQclUlAyIk+ryGUQCdHtF/yJX3eD6Ok6fdnt/4BSEv
uugAoJKb3z4urXNqWp2RMvqUpphK8ilD
=VS15
-----END PGP SIGNATURE-----
--- End Message ---
