Your message dated Wed, 30 Aug 2006 23:02:27 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#379064: fixed in libdumb 1:0.9.2-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libdumb
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3668: "Heap-based buffer overflow in the it_read_envelope
function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and
earlier, and current CVS as of 20060716, allows user-complicit attackers
to execute arbitrary code via a ".it" (Impulse Tracker) file with an
enveloper with a large number of nodes."
There is a proof-of-concept expoit [1] in the original advisory [2]. I
have not verified the issue. Sarge is probably vulnerable. I do not
see an upstream patch, but the original advisory suggests that the issue
will be fixed in the next version.
Please mention the CVE in your changelog.
Thanks,
Alec
[1] http://aluigi.org/poc/dumbit.zip
[2] http://aluigi.altervista.org/adv/dumbit-adv.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEwAMzAud/2YgchcQRAnROAKCAbMTcW5DcUY9cNysbNEC1cgKznQCgxeZU
bHCS1r8WWutRKUbCIaRRHw8=
=26dP
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: libdumb
Source-Version: 1:0.9.2-6
We believe that the bug you reported is fixed in the latest version of
libdumb, which is due to be installed in the Debian FTP archive:
libaldmb0-dev_0.9.2-6_i386.deb
to pool/main/libd/libdumb/libaldmb0-dev_0.9.2-6_i386.deb
libaldmb0_0.9.2-6_i386.deb
to pool/main/libd/libdumb/libaldmb0_0.9.2-6_i386.deb
libdumb0-dev_0.9.2-6_i386.deb
to pool/main/libd/libdumb/libdumb0-dev_0.9.2-6_i386.deb
libdumb0_0.9.2-6_i386.deb
to pool/main/libd/libdumb/libdumb0_0.9.2-6_i386.deb
libdumb_0.9.2-6.diff.gz
to pool/main/libd/libdumb/libdumb_0.9.2-6.diff.gz
libdumb_0.9.2-6.dsc
to pool/main/libd/libdumb/libdumb_0.9.2-6.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated libdumb
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Jul 2006 11:07:45 +0200
Source: libdumb
Binary: libaldmb0-dev libaldmb0 libdumb0-dev libdumb0
Architecture: source i386
Version: 1:0.9.2-6
Distribution: stable-security
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Description:
libaldmb0 - dynamic universal music bibliotheque, allegro version
libaldmb0-dev - development files for libaldmb0
libdumb0 - dynamic universal music bibliotheque
libdumb0-dev - development files for libdumb0
Closes: 379064
Changes:
libdumb (1:0.9.2-6) stable-security; urgency=high
.
* src/it/itread.c:
+ Fix for CVE-2006-3668 "Heap-based buffer overflow in the it_read_envelope
function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and
earlier, and current CVS as of 20060716, allows user-complicit attackers
to execute arbitrary code via a ".it" (Impulse Tracker) file with an
enveloper with a large number of nodes." (Closes: #379064).
Files:
32242f365a1433e66ca9e46a004523df 634 libs optional libdumb_0.9.2-6.dsc
0ce45f64934e6d5d7b82a55108596680 145722 libs optional libdumb_0.9.2.orig.tar.gz
65aa4b7596e81c622e830bbe1d32ff22 3914 libs optional libdumb_0.9.2-6.diff.gz
ead6a0b39172a059491c864b9985101f 108496 libs optional libdumb0_0.9.2-6_i386.deb
a0d02ff38ef6791845756ca2394a4bc5 47478 libdevel optional
libdumb0-dev_0.9.2-6_i386.deb
1c721ae454752d3a252f1cfc9a773d41 74484 libs optional libaldmb0_0.9.2-6_i386.deb
e4b77e2545480a205f675e39017efc58 4738 libdevel optional
libaldmb0-dev_0.9.2-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEwQSOXm3vHE4uyloRAr8cAKDlhjg3bz8EvGrDjilhuKe0gjFNFQCguT1Q
5tiomedTMa9ysqsr29fgVvo=
=+I7H
-----END PGP SIGNATURE-----
--- End Message ---
