Your message dated Wed, 16 May 2012 17:35:11 -0700 with message-id <ca+dqjfis_6pykuorxiwvj0_u5okdj_xpp3zadxmahhd4scc...@mail.gmail.com> and subject line Re: Bug#673154: CVE-2012-2369: Format string security vulnerability has caused the Debian Bug report #673154, regarding CVE-2012-2369: Format string security vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 673154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673154 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pidgin-otr Version: 3.2.0-5 Severity: serious Tags: security upstream patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for pidgin-otr. CVE-2012-2369[0]: | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format | string security flaw. This flaw could potentially be exploited by | a remote attacker to cause arbitrary code to be executed on the user's | machine. Upstream's patch: --- a/otr-plugin.c +++ b/otr-plugin.c @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext *conte static void log_message_cb(void *opdata, const char *message) { - purple_debug_info("otr", message); + purple_debug_info("otr", "%s", message); } static int max_message_size_cb(void *opdata, ConnContext *context) If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. I will shortly prepare an update for stable unless you wish to. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369 http://security-tracker.debian.org/tracker/CVE-2012-2369 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Version: 3.2.1-1 CVE fixed in upstream release 3.2.1 On Wed, May 16, 2012 at 7:14 AM, Thibaut VARÈNE <vare...@gmail.com> wrote: > The update is ready I'm about to upload it. Thx > > Le 16 mai 2012 à 06:56, Jonathan Wiltshire <j...@debian.org> a écrit : > >> Package: pidgin-otr >> Version: 3.2.0-5 >> Severity: serious >> Tags: security upstream patch >> >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for pidgin-otr. >> >> CVE-2012-2369[0]: >> | Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format >> | string security flaw. This flaw could potentially be exploited by >> | a remote attacker to cause arbitrary code to be executed on the user's >> | machine. >> >> Upstream's patch: >> >> --- a/otr-plugin.c >> +++ b/otr-plugin.c >> @@ -296,7 +296,7 @@ static void still_secure_cb(void *opdata, ConnContext >> *conte >> >> static void log_message_cb(void *opdata, const char *message) >> { >> - purple_debug_info("otr", message); >> + purple_debug_info("otr", "%s", message); >> } >> >> static int max_message_size_cb(void *opdata, ConnContext *context) >> >> If you fix the vulnerability please also make sure to include the >> CVE id in your changelog entry. >> >> I will shortly prepare an update for stable unless you wish to. >> >> For further information see: >> >> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2369 >> http://security-tracker.debian.org/tracker/CVE-2012-2369 >> >> >> -- System Information: >> Debian Release: wheezy/sid >> APT prefers unstable >> APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, >> 'experimental') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) >> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/bash >> >>
--- End Message ---
