Bug#720287: marked as done (nas: CVE-2013-4256 CVE-2013-4257 CVE-2013-4258)

[Debian Bug Tracking System]

Your message dated Sat, 12 Oct 2013 19:54:03 +0000
with message-id <e1vv5gf-0008kp...@franck.debian.org>
and subject line Bug#720287: fixed in nas 1.9.3-5wheezy1
has caused the Debian Bug report #720287,
regarding nas: CVE-2013-4256 CVE-2013-4257 CVE-2013-4258
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
720287: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720287
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: nas
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerabilities were published for nas (originally
reported by Hamid Zamani):

CVE-2013-4256[0]:
Buffer Overflows

CVE-2013-4257[1]:
Heap Overflow

CVE-2013-4258[2]:
Format string

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Patches are also available, see [3] and [4].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4256
    http://security-tracker.debian.org/tracker/CVE-2013-4256
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4257
    http://security-tracker.debian.org/tracker/CVE-2013-4257
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4258
    http://security-tracker.debian.org/tracker/CVE-2013-4258
[3] http://radscan.com/pipermail/nas/2013-August/001270.html
[4] http://marc.info/?l=oss-security&m=137694353908055&w=2

Please adjust the affected versions in the BTS as needed, 1.9.3 was
confirmed by the reporter, but might also be present in 1.9.2.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nas
Source-Version: 1.9.3-5wheezy1

We believe that the bug you reported is fixed in the latest version of
nas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 720...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93...@debian.org> (supplier of updated nas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Aug 2013 00:40:42 +0100
Source: nas
Binary: libaudio2 nas libaudio-dev nas-bin nas-doc
Architecture: source all amd64
Version: 1.9.3-5wheezy1
Distribution: stable-security
Urgency: high
Maintainer: Steve McIntyre <93...@debian.org>
Changed-By: Steve McIntyre <93...@debian.org>
Description: 
 libaudio-dev - Network Audio System - development files
 libaudio2  - Network Audio System - shared libraries
 nas        - Network Audio System - local server
 nas-bin    - Network Audio System - client binaries
 nas-doc    - Network Audio System - extra documentation
Closes: 720287
Changes: 
 nas (1.9.3-5wheezy1) stable-security; urgency=high
 .
   * Fixes for various long-standing security issues found by Hamid
     Zamani <m...@hamidx9.ir>. Closes: #720287
     + Validate the port offset of nasd to fix a potential buffer overflow
       (CVE-2013-4256)
     + Use better string functions to guard against heap overflows
       (CVE-2013-4257)
     + Sanity-check the TCP_DEVICE environment variable to remove a format
       string bug (CVE-2013-4258)
Checksums-Sha1: 
 15cf04efaadb0b64b769b974160e3b1af19905a8 1918 nas_1.9.3-5wheezy1.dsc
 dca770ddd10936ad1f19bf3c51f941c10d7bf84b 1485222 nas_1.9.3.orig.tar.gz
 19926aeb893f5c4d77823c52e27f026aba7a4b17 44709 nas_1.9.3-5wheezy1.diff.gz
 b861612f0acdc6eb66bb88e3ca6e3665bddc436e 159338 nas-doc_1.9.3-5wheezy1_all.deb
 801dcb1aeec18e7eb8b01aa7c85ad613125ea40a 122280 nas_1.9.3-5wheezy1_amd64.deb
 391607fd96f3950fc46b96ea0f187e608bfd7b19 182714 
nas-bin_1.9.3-5wheezy1_amd64.deb
 ad4738865ea994cf8a243dc7e093839908aacc90 87082 
libaudio2_1.9.3-5wheezy1_amd64.deb
 175b070edb5dcafb1c206d697dc33eb420ef50ef 613012 
libaudio-dev_1.9.3-5wheezy1_amd64.deb
Checksums-Sha256: 
 b9e52ca93208e5a0b7dec68df90564c24dae251f14561edb0a4dd20f0aef6bcc 1918 
nas_1.9.3-5wheezy1.dsc
 cd2c12980f812d6c7e08f48d00a2b7f85a040b3f587b177d4c1f03600a6ae7a9 1485222 
nas_1.9.3.orig.tar.gz
 db1a6c4896343f278d178b7075027237a49758908d3abef67b8ae9fcae07d756 44709 
nas_1.9.3-5wheezy1.diff.gz
 b2570899b77c37bc846a328ddc75d76b1644c45672df13792987e9aa7f03c910 159338 
nas-doc_1.9.3-5wheezy1_all.deb
 cf38ddd23ff511d3a86d5a04d481ae3ed764ceff3a3c0cb333d8ec325ad8781e 122280 
nas_1.9.3-5wheezy1_amd64.deb
 15c679d986ddecfa705fed0d3470a17cdc55dd459ed8e5b19c2a78da1b8007bc 182714 
nas-bin_1.9.3-5wheezy1_amd64.deb
 af48f88ea16df216f5d85414d8c08c2282ce7e1597ddbd3cb2a4aa125a19828e 87082 
libaudio2_1.9.3-5wheezy1_amd64.deb
 338a316913de57a7667f91d11e4086f941f384953dcb695d3b4e580b6850cc6a 613012 
libaudio-dev_1.9.3-5wheezy1_amd64.deb
Files: 
 f8e1a604b6d6e9ae8b36079d49bfb2b5 1918 sound optional nas_1.9.3-5wheezy1.dsc
 ecd01a3b4e17a9d464efa83a03618025 1485222 sound optional nas_1.9.3.orig.tar.gz
 9533179408c3d9d09add7e08b1c2fbbc 44709 sound optional 
nas_1.9.3-5wheezy1.diff.gz
 2365ecf99d30ed8b72a256bf4c6d1a44 159338 doc extra 
nas-doc_1.9.3-5wheezy1_all.deb
 98983c83bd575277d1844e8851b91764 122280 sound optional 
nas_1.9.3-5wheezy1_amd64.deb
 f4fe6927e4c697b78ea7260073d35e22 182714 sound extra 
nas-bin_1.9.3-5wheezy1_amd64.deb
 e950aecb9abed263d0cfe58469416a2b 87082 libs optional 
libaudio2_1.9.3-5wheezy1_amd64.deb
 4104915c56bfe816b5a594c57883f2a0 613012 libdevel optional 
libaudio-dev_1.9.3-5wheezy1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJSVFJnAAoJEFh5eVc0QmhOm1cQAJTi8tRlT2HXDIeOGSIOXgk1
kkqZwfoOm3L7C17yMaf4xPf8IWtgUXvuf6+TVGpQEFS7FZaDda8hOCsf2tdNGYTm
3lcBKKASDpc9nU7CvMxGkt6cBMGK7G7eLF7Q4BrbWj7ZyHwOnr0g0igGspRa63ms
TuXVf3x8RkDm4DO8e+fyZPSRdDspTQWsW7q9ZK1fPJso3xo3nLakoxvGJiSHHjYm
rUheCD9k/UWOQiydOa2IrIEva7kA0VtQ5EJtWTYeU96nS6SCoFXuzA26uEcFcEgl
/qz/x2C/FkQId1UufLydVmogwhM75eT+DbPzPC6EhueB1r/rxYwC1LAmuNqWpLtM
JZWClNL4R1RBM040/V31IxzqBW8H/pLCZsXyzn/DCkuMBwvNFrBLMj3nDC94xXkv
uGXk0eNlmdj6OVgGbxJx7+BUxbcfFWdp2eYsaJXN+labXbUOl0q/9D+/pPSBG/bX
oFgnSdSJI9Nvvv8nYCxNfD6K3r9ivfyxwjcj8tkOEdHOZWyth4wRYdMM6UgOl84p
S/995wYt4Rh749TOEoxP7I/YibM+YIrv9EWXcCh14QWMQj/H8xpBL6qgvJ5VbWeY
TQ4wNND9HegZWAbKypv8Tb0HvqHHdZ2B5MflapIgQKKD1gTo442duPFAXT7QiO91
4NYsVUaWACT2gCmEWwqq
=a3KT
-----END PGP SIGNATURE-----

--- End Message ---