Your message dated Mon, 16 Jan 2006 09:32:10 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#344398: fixed in blender 2.40-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Dec 2005 13:30:48 +0000
>From [EMAIL PROTECTED] Thu Dec 22 05:30:48 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111]
helo=vserver151.vserver151.serverflex.de)
by spohr.debian.org with esmtp (Exim 4.50)
id 1EpQWu-00038u-CL
for [EMAIL PROTECTED]; Thu, 22 Dec 2005 05:30:48 -0800
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1EpQWt-0003Zd-9S; Thu, 22 Dec 2005 14:30:47 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CVE-2005-4470: Integer overhead in header parser for .blend import
X-Mailer: reportbug 3.17
Date: Thu, 22 Dec 2005 14:30:46 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: blender
Version: 2.37a-1.1
Severity: grave
Tags: security
Justification: user security hole
An integer overflow in the header parser for .blend files can potentially
be exploited to execute code through a heap overflow. Please see
http://www.overflow.pl/adv/blenderinteger.txt for details.
This is CVE-2005-4470.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
---------------------------------------
Received: (at 344398-close) by bugs.debian.org; 16 Jan 2006 17:41:51 +0000
>From [EMAIL PROTECTED] Mon Jan 16 09:41:51 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EyYDC-0003fj-Vt; Mon, 16 Jan 2006 09:32:10 -0800
From: Florian Ernst <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#344398: fixed in blender 2.40-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 16 Jan 2006 09:32:10 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: blender
Source-Version: 2.40-1
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.40-1.diff.gz
to pool/main/b/blender/blender_2.40-1.diff.gz
blender_2.40-1.dsc
to pool/main/b/blender/blender_2.40-1.dsc
blender_2.40-1_i386.deb
to pool/main/b/blender/blender_2.40-1_i386.deb
blender_2.40.orig.tar.gz
to pool/main/b/blender/blender_2.40.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Ernst <[EMAIL PROTECTED]> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Jan 2006 16:44:39 +0100
Source: blender
Binary: blender
Architecture: source i386
Version: 2.40-1
Distribution: unstable
Urgency: high
Maintainer: Debian Blender Maintainers <[EMAIL PROTECTED]>
Changed-By: Florian Ernst <[EMAIL PROTECTED]>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 307811 333958 344398 345442 346144
Changes:
blender (2.40-1) unstable; urgency=high
.
[ Wouter van Heyst ]
* Switch to team based maintenance
* New upstream release - closes: #345442, #346144
+ fixes CVE-2005-4470: Integer overhead in header parser for .blend import
- closes: #344398, urgency=high
* Acknowledge NMU - closes: #333958
.
[ Florian Ernst ]
* New upstream release includes own fixes for building on amd64/gcc4.0;
adjusting debian/patches/03_amd64_gcc40_fix.dpatch and then stop applying
it as it is apparently not needed anymore
* Add debian/patches/SConstruct.diff as well as debian/README.Alioth-CVS
explaining how to use it when building from upstream source + Alioth-CVS
* Add missing build-dependency on libgettextpo-dev, drop hardcoded Depends
on gettext - closes: #307811
* Add Build-Depends on libtiff4-dev for building and Suggests on libtiff4
for dlopen()'ing
* Add README.Debian explaining graphics issues such as random crashes and
interface weirdness, this might eventually be sufficient for resolving
bugs like #299441 and friends...
* Substitute 02_tmp_in_HOME.dpatch for 02_quit_blend_in_homedir.dpatch to
make sure all temporary user data (such as e.g. autosave files) is put
in $HOME/.blender in order to avoid a symlink attack, see bug#298167
* Extend 04_de_po_fix.dpatch
* Remove Conflicts/Replaces on blender-powerpc as this package only exists
in oldstable
* Streamline debian/rules, removing some unneeded cruft
* debian/control: add upstream homepage
* README.Debian: added note about quit.blend now being found in
$HOME/.blender
* debian/watch: added
* Merge (and extend) Ubuntu adjustments as applied by Daniel Holbach
+ ${python:Depends} and dh_python
+ auto-update config.guess via autotools-dev
* debian/source.lintian-overrides: added
* debian/blender.1: escape hyphens where necessary
Files:
3a0fc1a0c4a6ccdf17b97bdeb0c9b7bb 956 graphics optional blender_2.40-1.dsc
3b58026ca9d0b26292ef39d7e2353f31 9298365 graphics optional
blender_2.40.orig.tar.gz
1ec60ee9f6e1e1b4afa3fb843586bcf4 15837 graphics optional blender_2.40-1.diff.gz
bf683f3bcc96e9d744205c23821b0f5d 5022926 graphics optional
blender_2.40-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDy9G9s3U+TVFLPnwRAqHoAJ4xOLsbIecMtVkGVeJAQFaYN//FPwCeLmKL
0W11UFWSW5qjERVpRf6rwII=
=HuOC
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
