Your message dated Sat, 20 Feb 2016 18:52:38 +0000
with message-id <e1axcdy-0007z4...@franck.debian.org>
and subject line Bug#814067: fixed in xdelta3 3.0.8-dfsg-1+deb8u1
has caused the Debian Bug report #814067,
regarding xdelta3: CVE-2014-9765: buffer overflow in main_get_appheader
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
814067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xdelta3
Severity: grave
Tags: security upstream fixed-upstream
xdelta3 before 3.0.9 contains buffer overflow which allows arbitrary
code execution from input files at least on some systems.
3.0.0.dfsg-1 and 3.0.8-dfsg-1 are definitly affected.
08.02.2016 в 06:57:12 +0100 Salvatore Bonaccorso написал:
> On Sun, Feb 07, 2016 at 07:05:12PM +0400, Stepan Golosunov wrote:
> > This appears to be fixed in xdelta3 3.0.9 and later via
> > https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
> > but not in Debian.
> >
> > What should be done next? Should I open a bug?
>
> Yes, since the commit is in the public git repo I think it is best to
> open a bug in the Debian BTS.
> p.s.: Just noticed there seem to be two git repositories by jmacd, the
> commit is as well in
>
> https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8
README.md says that this repository contains old data from
https://code.google.com/p/xdelta. Newer code and releases are
currently only in xdelta-devel.
--- End Message ---
--- Begin Message ---
Source: xdelta3
Source-Version: 3.0.8-dfsg-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
xdelta3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 814...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated xdelta3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Feb 2016 12:41:53 +0100
Source: xdelta3
Binary: xdelta3
Architecture: source
Version: 3.0.8-dfsg-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: A Mennucc1 <mennu...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 740284 814067
Description:
xdelta3 - Diff utility which works with binary files
Changes:
xdelta3 (3.0.8-dfsg-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix LZMA tests (Closes: #740284)
* CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067)
Checksums-Sha1:
c78ccd49f5e4eb791515f553b4d7fe7f0a9ba950 1736 xdelta3_3.0.8-dfsg-1+deb8u1.dsc
e4a1c3a4a650c1a44032391bfd6fbe80022c78a6 416036 xdelta3_3.0.8-dfsg.orig.tar.xz
b4917eec708aa4b64cee7489cbf24f25fe8008bd 14232
xdelta3_3.0.8-dfsg-1+deb8u1.debian.tar.xz
Checksums-Sha256:
65de963b5dc37512a5f41cdc26bf66852d48fbd2ce23af6626a23ce4e29fed59 1736
xdelta3_3.0.8-dfsg-1+deb8u1.dsc
c00128a290ff922894206ad56ab0ca2cff9d29dd8ab992726b7d314f0a1a4345 416036
xdelta3_3.0.8-dfsg.orig.tar.xz
d8358f03d20bc1f63940a6a4b23e5e6fdb995eec6d33c4511eb9a3d58c1bba84 14232
xdelta3_3.0.8-dfsg-1+deb8u1.debian.tar.xz
Files:
88e83e2862dc9c144b3add39b72c5c2b 1736 utils optional
xdelta3_3.0.8-dfsg-1+deb8u1.dsc
712bcf8532a0c7aaa827200918e60e9e 416036 utils optional
xdelta3_3.0.8-dfsg.orig.tar.xz
59d806097d5d756c6d1228c8c1653148 14232 utils optional
xdelta3_3.0.8-dfsg-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWxwNOAAoJEAVMuPMTQ89E/bIP/idVOoexbmBq4f71W0dUobSh
YoAe2sqJYNehCBKPCSqggt79gTwewfCuOUpOxSGEZP8PJRGprWaea5IlV1iJjmon
MSh/v/qsMAf2iSyV1ARtUV4o/yMu/VYdy58WZrH3Y1UFfGI9dgPH8z351VL+yotu
a5Dqo1NQSaRj4TUwduuz5XFzT3TYTxJFXq/Wf56bWlKTKEBCuKUk2RKEcoR+fuHr
IiYv0lOx9kL0NNwkeG+EYeLaSySjNwQ0taZ7c00aChMtgWBftCZMD2ykKp66g03E
BR9AwZ9e+MhHEOlAM2dZYS1RAWfoWuksERyrV1f4/TXvPB1rtyNFylZhR/377yLo
Fugt+qecqc2mKk6H40re4VQG+G8uw7ZT3vKOvs8PhXEmq+ZoQfm0ap+Gp2u21KhV
iyM/Vzc/9RRtgnUmARKNfhHexEL7TK6Lfz1rREY3YINu2fJksJNJgG/Ts756itWH
7dnOdtlJN/vYYHLSOQ/ObqO5o2sKTcQqRUUemlBll64dRUPf+sKPcrijTm3CXiYL
b274mIuD0JdJd8j1UKJSeodD0GqtKQl0HsRBIIVyflY02FE5gCbubcPlOy+byrqu
7FQDOAHTA01NPMWw2f5mSmgM5N62kgHWB4wze5e8Jt+qW7+1PgoUx+M8wpOwqtZF
RBDSLB9Zm5Q+2DPmOX1a
=C+m0
-----END PGP SIGNATURE-----
--- End Message ---
