Your message dated Wed, 02 Aug 2006 11:02:11 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#380364: fixed in cheesetracker 0.9.9-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cheesetracker
Version: 0.9.9-1 0.9.9-5
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3814: "Buffer overflow in the
Loader_XM::load_instrument_internal function in loader_xm.cpp for Cheese
Tracker 0.9.9 and earlier allows user-assisted attackers to execute
arbitrary code via a crafted file with a large amount of extra data."
I have confirmed this issue with both sarge's and sid's version of
cheesetracker. A sample exploit [1] was included in the original report
[2]. I do not believe a patch is available.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.org/poc/cheesebof.zip
[2] http://aluigi.altervista.org/adv/cheesebof-adv.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEy3ZVAud/2YgchcQRAjF1AKCaNDkUWiMgYlaqUSkjGzRsk0AMpgCeIKbH
KCBHGaofbXVoBpn1Im/qToc=
=4fQX
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: cheesetracker
Source-Version: 0.9.9-6
We believe that the bug you reported is fixed in the latest version of
cheesetracker, which is due to be installed in the Debian FTP archive:
cheesetracker_0.9.9-6.diff.gz
to pool/main/c/cheesetracker/cheesetracker_0.9.9-6.diff.gz
cheesetracker_0.9.9-6.dsc
to pool/main/c/cheesetracker/cheesetracker_0.9.9-6.dsc
cheesetracker_0.9.9-6_i386.deb
to pool/main/c/cheesetracker/cheesetracker_0.9.9-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Wesley J. Landaker <[EMAIL PROTECTED]> (supplier of updated cheesetracker
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 2 Aug 2006 10:31:35 -0600
Source: cheesetracker
Binary: cheesetracker
Architecture: source i386
Version: 0.9.9-6
Distribution: unstable
Urgency: high (security)
Maintainer: Wesley J. Landaker <[EMAIL PROTECTED]>
Changed-By: Wesley J. Landaker <[EMAIL PROTECTED]>
Description:
cheesetracker - sound module tracking program (IT - Impulse Tracker clone)
Closes: 380364
Changes:
cheesetracker (0.9.9-6) unstable; urgency=high (security)
.
* Fix CVE-2006-3814 (XM loading buffer overflow) (closes: #380364)
Files:
f840e22ff952597c3cb929702ab2788c 712 sound optional cheesetracker_0.9.9-6.dsc
cfde6dc229ae1a5429f79addfdd880a9 18827 sound optional
cheesetracker_0.9.9-6.diff.gz
83e3999e6429465e9b8eb1bf43c3c297 942272 sound optional
cheesetracker_0.9.9-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFE0Ofh8KmKTEzW49IRAlc6AJ9dcjqkGzWSd/sIs+XbtssxITCiTACeOFjn
5iKvtNq9Q408c4DySSNSQjQ=
=M3dv
-----END PGP SIGNATURE-----
--- End Message ---
