Bug#299236: marked as done (lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605)

Debian Bug Tracking System Fri, 11 Nov 2005 11:33:15 -0800

Your message dated Fri, 11 Nov 2005 11:17:22 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#299236: fixed in lesstif1-1 1:0.93.94-12
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Mar 2005 19:01:38 +0000
>From [EMAIL PROTECTED] Thu Mar 10 11:01:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from cpe-65-26-182-85.indy.res.rr.com (sisyphus.deadbeast.net) 
[65.26.182.85] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D9Sug-0006v1-00; Thu, 10 Mar 2005 11:01:38 -0800
Received: by sisyphus.deadbeast.net (Postfix, from userid 1000)
        id 18D7E68C024; Thu, 10 Mar 2005 14:01:37 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Branden Robinson <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libxpm4: new buffer overflow security hole (CAN-2005-0605)
X-Mailer: reportbug 3.8
Date: Thu, 10 Mar 2005 14:01:37 -0500
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: libxpm4
Version: 4.3.0.dfsg.1-12
Severity: grave
Tags: security, upstream, fixed-upstream, patch

CAN-2005-0605 indicates that "scan.c for LibXPM may allow attackers to
execute arbitrary code via a negative bitmap_unit value that leads to a
buffer overflow."

Patch is here:

https://bugs.freedesktop.org/attachment.cgi?id=1909

Description is here:

https://bugs.freedesktop.org/show_bug.cgi?id=1920

Gentoo issued an advisory about this on 4 March.

Ubuntu issued an advisory about this on 7 March.

I learned about this from Linux Weekly News.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-powerpc-smp
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libxpm4 depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information

---------------------------------------
Received: (at 299236-close) by bugs.debian.org; 11 Nov 2005 19:26:00 +0000
>From [EMAIL PROTECTED] Fri Nov 11 11:26:00 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1EaeOo-0000vl-Ca; Fri, 11 Nov 2005 11:17:22 -0800
From: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#299236: fixed in lesstif1-1 1:0.93.94-12
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 11 Nov 2005 11:17:22 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: lesstif1-1
Source-Version: 1:0.93.94-12

We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:

lesstif-dev_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif-dev_0.93.94-12_i386.deb
lesstif1-1_0.93.94-12.diff.gz
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.diff.gz
lesstif1-1_0.93.94-12.dsc
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.dsc
lesstif1_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif1_0.93.94-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated 
lesstif1-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Description: 
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif1   - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes: 
 lesstif1-1 (1:0.93.94-12) unstable; urgency=low
 .
   * Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
     for their work (Closes: #294099, #298183, #299236, #279402, #287187).
   * Upstream dropped support for lesstif1. This package will generate lesstif1
     binaries only. When all Debian packages have been migrated to lesstif2 it
     will be discontinued.
   * debian/control:
     + Set policy to 3.6.2.1.
     + Build-depend on debhelper >= 4.0.
     + No longer build-depend on autoconf, automake and libtool
       (Closes: #335132).
   * Rebootstrapped "." and "test".
Files: 
 948f4b89b5889b4a3f6c6eb0a39b847d 760 libs optional lesstif1-1_0.93.94-12.dsc
 f3d89e0f89995ccbc64bf51ea8a827d4 361215 libs optional 
lesstif1-1_0.93.94-12.diff.gz
 f4e01a69dd32775258ff71d8b362183c 603924 libs optional 
lesstif1_0.93.94-12_i386.deb
 8ed2ce8f8352e0a8850cf5f55da4308c 812750 libdevel optional 
lesstif-dev_0.93.94-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDdNsEfPP1rylJn2ERAjqgAJ9DKhih+eE764cXKcH6EdUZ1pz0ugCfRq3D
KWciC3nZj8HLUCq0JEcyLIk=
=7Czj
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#299236: marked as done (lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605)

Reply via email to