Your message dated Wed, 16 Nov 2005 09:17:08 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#339431: fixed in gtk+2.0 2.6.10-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Nov 2005 09:17:36 +0000
>From [EMAIL PROTECTED] Wed Nov 16 01:17:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111]
helo=vserver151.vserver151.serverflex.de)
by spohr.debian.org with esmtp (Exim 4.50)
id 1EcJQ7-0006Do-Pd
for [EMAIL PROTECTED]; Wed, 16 Nov 2005 01:17:35 -0800
Received: from wlan-client-004.informatik.uni-bremen.de ([134.102.116.5]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1EcJQ4-0006J7-RE
for [EMAIL PROTECTED]; Wed, 16 Nov 2005 10:17:32 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.54)
id 1EcJPw-0001PW-KK; Wed, 16 Nov 2005 10:17:24 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
X-Mailer: reportbug 3.17
Date: Wed, 16 Nov 2005 10:17:24 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.5
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: gtk+2.0
Severity: grave
Tags: security
Justification: user security hole
An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
to overwrite the heap and exploit arbitrary code through crafted images.
Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
for more details.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 339431-close) by bugs.debian.org; 16 Nov 2005 17:21:32 +0000
>From [EMAIL PROTECTED] Wed Nov 16 09:21:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EcQuC-0002HP-6m; Wed, 16 Nov 2005 09:17:08 -0800
From: Sebastien Bacher <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#339431: fixed in gtk+2.0 2.6.10-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 16 Nov 2005 09:17:08 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: gtk+2.0
Source-Version: 2.6.10-2
We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:
gtk+2.0_2.6.10-2.diff.gz
to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.diff.gz
gtk+2.0_2.6.10-2.dsc
to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.dsc
gtk2-engines-pixbuf_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.6.10-2_i386.deb
gtk2.0-examples_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/gtk2.0-examples_2.6.10-2_i386.deb
libgtk2.0-0-dbg_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.6.10-2_i386.deb
libgtk2.0-0_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0_2.6.10-2_i386.deb
libgtk2.0-bin_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-bin_2.6.10-2_i386.deb
libgtk2.0-common_2.6.10-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-common_2.6.10-2_all.deb
libgtk2.0-dev_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-dev_2.6.10-2_i386.deb
libgtk2.0-doc_2.6.10-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-doc_2.6.10-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Bacher <[EMAIL PROTECTED]> (supplier of updated gtk+2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 16 Nov 2005 16:56:39 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0
libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.6.10-2
Distribution: unstable
Urgency: medium
Maintainer: Sebastien Bacher <[EMAIL PROTECTED]>
Changed-By: Sebastien Bacher <[EMAIL PROTECTED]>
Description:
gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
gtk2.0-examples - Examples files for the GTK+ 2.0
libgtk2.0-0 - The GTK+ graphical user interface library
libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
libgtk2.0-bin - The programs for the GTK+ graphical user interface library
libgtk2.0-common - Common files for the GTK+ graphical user interface library
libgtk2.0-dev - Development files for the GTK+ library
libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 309437 315083 323209 339431
Changes:
gtk+2.0 (2.6.10-2) unstable; urgency=medium
.
[ Sebastien Bacher ]
* Patch from Ubuntu update, thanks Martin Pitt.
* SECURITY UPDATE: Arbitrary code execution and DoS.
* Add debian/patches/010_xpm-colors-overflow_CVE-2005-3186.patch:
- io-xpm.c: Add check to XPM reader to prevent integer overflow for
specially crafted number of colors (Closes: #339431).
- CVE-2005-3186
* Add debian/patches/011_xpm-colors-loop_CVE-2005-2975.patch:
- io-xpm.c: Fix endless loop with specially crafted number of colors.
- CVE-2005-2975
.
* debian/rules:
- fix confusing cp usage.
.
[ Loic Minier ]
.
* Update FSF address. [debian/copyright]
* Remove "Copyright:" line, the whole file expresses the copyright already.
(Closes: #323209) [debian/copyright]
* Backport patch from the 2.8 branch removing the warning introduced
somewhere in 2.6 when length wraps in calculation in gdk_property_get.
(Closes: #315083) [debian/patches/064_gdk-property-get-no-warning.patch]
* Add ${misc:Depends} to all packages.
* Remove libgtk2.0-0 dependency from libgtk2.0-common to break the circular
dependency; cross your fingers, don't hold your breath. (Closes: #309437)
Files:
3563b30a4289c32184c55ba195036708 2141 libs optional gtk+2.0_2.6.10-2.dsc
6b971feecb17c4791472aa96acdea3a3 47597 libs optional gtk+2.0_2.6.10-2.diff.gz
7c5d80d99cae36830180239b26a493fa 3138308 misc optional
libgtk2.0-common_2.6.10-2_all.deb
af323f59755f3e06ffae3e6b13d3e3aa 2328124 doc optional
libgtk2.0-doc_2.6.10-2_all.deb
eb201ab2646f4cea2663316c08514ed2 2052200 libs optional
libgtk2.0-0_2.6.10-2_i386.deb
894a6ec816c55e5bc085d911a55afb8f 18192 misc optional
libgtk2.0-bin_2.6.10-2_i386.deb
fae0ba120610c486f2a5515eeb61f351 2208758 libdevel optional
libgtk2.0-dev_2.6.10-2_i386.deb
7f70323d835bea802bafd6096a610992 3533168 libdevel extra
libgtk2.0-0-dbg_2.6.10-2_i386.deb
4dc3b71e3311d5cffa8496d6790f924b 281144 x11 extra
gtk2.0-examples_2.6.10-2_i386.deb
2e7ece79ea1ec06a22a05de5cf3e7057 65358 graphics optional
gtk2-engines-pixbuf_2.6.10-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDe2QPQxo87aLX0pIRAqNNAJ90/qfcwJjzU3NaowscTVjDY79lZwCgr1jX
1s2lgI1Zb20EQSzGlh2jTDg=
=nUeE
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
