Your message dated Mon, 27 Sep 2010 16:18:16 +0000 with message-id <e1p0gpa-0006mi...@franck.debian.org> and subject line Bug#597540: fixed in libwnck 2.30.4-2 has caused the Debian Bug report #597540, regarding [SECURITY] [DSA-2112-1] CVE-2010-0405 integer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 597540: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597540 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: bzip2 Version: 1.0.5-5 Severity: serious Tags: security patch pending On Mon, Sep 20, 2010 at 11:05:59AM +0000, Stefan Fritsch wrote: >Mikolaj Izdebski has discovered an integer overflow flaw in the >BZ2_decompress function in bzip2/libbz2. An attacker could use a >crafted bz2 file to cause a denial of service (application crash) >or potentially to execute arbitrary code. (CVE-2010-0405) On Mon, Sep 13, 2010 at 06:18:30AM +0200, Stefan Fritsch wrote: >diff -U 5 bzip2-1.0.5-orig/decompress.c bzip2-1.0.5-mod/decompress.c >--- bzip2-1.0.5-orig/decompress.c 2007-12-09 13:31:31.000000000 +0100 >+++ bzip2-1.0.5-mod/decompress.c 2010-06-23 23:05:49.000000000 +0200 >@@ -379,10 +379,17 @@ > if (nextSym == BZ_RUNA || nextSym == BZ_RUNB) { > > es = -1; > N = 1; > do { >+ /* Check that N doesn't get too big, so that es doesn't >+ go negative. The maximum value that can be >+ RUNA/RUNB encoded is equal to the block size (post >+ the initial RLE), viz, 900k, so bounding N at 2 >+ million should guard against overflow without >+ rejecting any legitimate inputs. */ >+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); > if (nextSym == BZ_RUNA) es = es + (0+1) * N; else > if (nextSym == BZ_RUNB) es = es + (1+1) * N; > N = N * 2; > GET_MTF_VAL(BZ_X_MTF_3, BZ_X_MTF_4, nextSym); > }
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: libwnck Source-Version: 2.30.4-2 We believe that the bug you reported is fixed in the latest version of libwnck, which is due to be installed in the Debian FTP archive: gir1.0-wnck-1.0_2.30.4-2_amd64.deb to main/libw/libwnck/gir1.0-wnck-1.0_2.30.4-2_amd64.deb libwnck-common_2.30.4-2_all.deb to main/libw/libwnck/libwnck-common_2.30.4-2_all.deb libwnck-dev_2.30.4-2_amd64.deb to main/libw/libwnck/libwnck-dev_2.30.4-2_amd64.deb libwnck22_2.30.4-2_amd64.deb to main/libw/libwnck/libwnck22_2.30.4-2_amd64.deb libwnck_2.30.4-2.debian.tar.gz to main/libw/libwnck/libwnck_2.30.4-2.debian.tar.gz libwnck_2.30.4-2.dsc to main/libw/libwnck/libwnck_2.30.4-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 597...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Josselin Mouette <j...@debian.org> (supplier of updated libwnck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 27 Sep 2010 17:59:18 +0200 Source: libwnck Binary: libwnck22 libwnck-dev libwnck-common gir1.0-wnck-1.0 Architecture: source all amd64 Version: 2.30.4-2 Distribution: unstable Urgency: low Maintainer: Josselin Mouette <j...@debian.org> Changed-By: Josselin Mouette <j...@debian.org> Description: gir1.0-wnck-1.0 - GObject introspection data for the WNCK library libwnck-common - Window Navigator Construction Kit - common files libwnck-dev - Window Navigator Construction Kit - development files libwnck22 - Window Navigator Construction Kit - runtime files Closes: 597540 597911 598122 Changes: libwnck (2.30.4-2) unstable; urgency=low . * 10_pager_multirow.patch: stolen upstream. Fix an unitialized value bug that causes issues with: + Multi-row pagers. Closes: #597540. + Vertical pagers. Closes: #598122. + Xmonad. Closes: #597911. Checksums-Sha1: 41b50cfea4d4b31d0bbde3672ca32d7656a26b82 1648 libwnck_2.30.4-2.dsc bec6f9c88a795a22f03e0eeff234931a596f9724 11183 libwnck_2.30.4-2.debian.tar.gz 62ef29002f5ce4d22def300c45a27e76a8b8f55e 347526 libwnck-common_2.30.4-2_all.deb dbe23132a3df0c08991047e3dc7376411f80f429 132610 libwnck22_2.30.4-2_amd64.deb f2fc634c7705145f7afdef74c52645ec91eed778 278768 libwnck-dev_2.30.4-2_amd64.deb 20c08cdfb920d454de4a2b43f34b92c6799db707 38422 gir1.0-wnck-1.0_2.30.4-2_amd64.deb Checksums-Sha256: 6ff98808d2552dbad0a487ead728b3b0918dae3ee6511df3072adb3d379ac2b0 1648 libwnck_2.30.4-2.dsc 40670c7c0994b1e38f06337992c6ff474381ec8c7f4b457b0b3cfb621c482980 11183 libwnck_2.30.4-2.debian.tar.gz 3f6f0c44e8847a5af8b798fbf1ab3d38984e6c787f01d0cff9c35f155833daae 347526 libwnck-common_2.30.4-2_all.deb 5140def3fd022678724a3b5aea588142f53729525843add9e07d2eaaa849a96b 132610 libwnck22_2.30.4-2_amd64.deb 24f6994568c72609a787643a81eba23dd59756d32b66434d6a22548c150ee81e 278768 libwnck-dev_2.30.4-2_amd64.deb 6338f3b9623f188a6e304f6b78f24fa8a1065ead44868cd40c3f57907548e262 38422 gir1.0-wnck-1.0_2.30.4-2_amd64.deb Files: 82ce730cef765ba988cd14794db7902b 1648 libs optional libwnck_2.30.4-2.dsc fe577d1f5f5e903fe73c92f5d79418b2 11183 libs optional libwnck_2.30.4-2.debian.tar.gz 8bddc2d0cdd65cc6d55a1125a61c5e1c 347526 libs optional libwnck-common_2.30.4-2_all.deb cdf3b0e3706707864487deea7a14fb06 132610 libs optional libwnck22_2.30.4-2_amd64.deb 3e426154b1dd7c2559a9e45663765c39 278768 libdevel optional libwnck-dev_2.30.4-2_amd64.deb 8c96570a9de4ce1e15b3e83d7c38c5de 38422 libs optional gir1.0-wnck-1.0_2.30.4-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFMoMKPrSla4ddfhTMRAh4fAJ9+IRO71Ec3XILKEVg68xswfpzABgCfZ0yW DnEvYaJ/fsUNmvh/3EtMm90= =2SLb -----END PGP SIGNATURE-----
--- End Message ---
