Your message dated Fri, 21 Jul 2006 02:32:15 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#379064: fixed in libdumb 1:0.9.3-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libdumb
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3668: "Heap-based buffer overflow in the it_read_envelope
function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and
earlier, and current CVS as of 20060716, allows user-complicit attackers
to execute arbitrary code via a ".it" (Impulse Tracker) file with an
enveloper with a large number of nodes."
There is a proof-of-concept expoit [1] in the original advisory [2]. I
have not verified the issue. Sarge is probably vulnerable. I do not
see an upstream patch, but the original advisory suggests that the issue
will be fixed in the next version.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.org/poc/dumbit.zip
[2] http://aluigi.altervista.org/adv/dumbit-adv.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEwAMzAud/2YgchcQRAnROAKCAbMTcW5DcUY9cNysbNEC1cgKznQCgxeZU
bHCS1r8WWutRKUbCIaRRHw8=
=26dP
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: libdumb
Source-Version: 1:0.9.3-5
We believe that the bug you reported is fixed in the latest version of
libdumb, which is due to be installed in the Debian FTP archive:
libaldmb1-dev_0.9.3-5_i386.deb
to pool/main/libd/libdumb/libaldmb1-dev_0.9.3-5_i386.deb
libaldmb1_0.9.3-5_i386.deb
to pool/main/libd/libdumb/libaldmb1_0.9.3-5_i386.deb
libdumb1-dev_0.9.3-5_i386.deb
to pool/main/libd/libdumb/libdumb1-dev_0.9.3-5_i386.deb
libdumb1_0.9.3-5_i386.deb
to pool/main/libd/libdumb/libdumb1_0.9.3-5_i386.deb
libdumb_0.9.3-5.diff.gz
to pool/main/libd/libdumb/libdumb_0.9.3-5.diff.gz
libdumb_0.9.3-5.dsc
to pool/main/libd/libdumb/libdumb_0.9.3-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated libdumb
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Jul 2006 11:07:45 +0200
Source: libdumb
Binary: libdumb1 libaldmb1-dev libaldmb1 libdumb1-dev
Architecture: source i386
Version: 1:0.9.3-5
Distribution: unstable
Urgency: critical
Maintainer: Debian allegro packages maintainers <[EMAIL PROTECTED]>
Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Description:
libaldmb1 - dynamic universal music bibliotheque, Allegro version
libaldmb1-dev - development files for libaldmb1
libdumb1 - dynamic universal music bibliotheque
libdumb1-dev - development files for libdumb1
Closes: 379064
Changes:
libdumb (1:0.9.3-5) unstable; urgency=critical
.
* Set urgency=critical because of security fix.
.
* debian/patches/100_CVE-2006-3668.diff:
+ Fix for CVE-2006-3668 "Heap-based buffer overflow in the it_read_envelope
function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and
earlier, and current CVS as of 20060716, allows user-complicit attackers
to execute arbitrary code via a ".it" (Impulse Tracker) file with an
enveloper with a large number of nodes." (Closes: #379064).
.
* debian/control:
+ Set policy to 3.7.2.
Files:
b91cf1acdf25110b2fbd49f169c81e63 754 libs optional libdumb_0.9.3-5.dsc
6be3173f27c100781014fa249fc0cf08 4379 libs optional libdumb_0.9.3-5.diff.gz
bb9c024fc6cdd245466504f0badcdf0d 203864 libs optional libdumb1_0.9.3-5_i386.deb
e9ca3705673588d00f090370cef275a8 122542 libdevel optional
libdumb1-dev_0.9.3-5_i386.deb
383209af6c5cc6228e825fc087ee6e26 94544 libs optional libaldmb1_0.9.3-5_i386.deb
4a7cea7289d8092aa6e32097c0398c11 4956 libdevel optional
libaldmb1-dev_0.9.3-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEwJuKfPP1rylJn2ERAm6kAJ0V2q34Kn4AMws5TIzFcsAB9WI34gCdHZoN
F4m6LkVNZ7ZpnHy1uKfc3WM=
=M0YY
-----END PGP SIGNATURE-----
--- End Message ---
