Bug#540146: marked as done (CVE-2009-2660: Multiple integer overflows)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 30 Aug 2009 14:01:58 +0000
with message-id <E1Mhkyk-0000wT-A4@ries.debian.org>
and subject line Bug#540146: fixed in camlimages 2.20-8+etch2
has caused the Debian Bug report #540146,
regarding CVE-2009-2660: Multiple integer overflows
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
540146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: CVE-2009-2660: Multiple integer overflows
• From: Giuseppe Iuculano <giuseppe@iuculano.it>
• Date: Thu, 06 Aug 2009 09:11:01 +0200
• Message-id: <[🔎] 20090806071101.11338.29949.reportbug@localhost>

Package: camlimages
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for camlimages.

CVE-2009-2660[0]:
| Multiple integer overflows in CamlImages 2.2 might allow
| context-dependent attackers to execute arbitrary code via images
| containing large width and height values that trigger a heap-based
| buffer overflow, related to (1) crafted GIF files (gifread.c) and (2)
| crafted JPEG files (jpegread.c), a different vulnerability than
| CVE-2009-2295.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2660
    http://security-tracker.debian.net/tracker/CVE-2009-2660

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp6ggEACgkQNxpp46476ar1/gCfc/keILkLon57EJQMFCRtSlB4
NxQAn0yvAYKn3Cmg6YUGr1bX10Ju+wa/
=4KlA
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

• To: 540146-close@bugs.debian.org
• Subject: Bug#540146: fixed in camlimages 2.20-8+etch2
• From: Steffen Joeris <white@debian.org>
• Date: Sun, 30 Aug 2009 14:01:58 +0000
• Message-id: <E1Mhkyk-0000wT-A4@ries.debian.org>

Source: camlimages
Source-Version: 2.20-8+etch2

We believe that the bug you reported is fixed in the latest version of
camlimages, which is due to be installed in the Debian FTP archive:

camlimages_2.20-8+etch2.diff.gz
  to pool/main/c/camlimages/camlimages_2.20-8+etch2.diff.gz
camlimages_2.20-8+etch2.dsc
  to pool/main/c/camlimages/camlimages_2.20-8+etch2.dsc
libcamlimages-ocaml-dev_2.20-8+etch2_i386.deb
  to pool/main/c/camlimages/libcamlimages-ocaml-dev_2.20-8+etch2_i386.deb
libcamlimages-ocaml-doc_2.20-8+etch2_all.deb
  to pool/main/c/camlimages/libcamlimages-ocaml-doc_2.20-8+etch2_all.deb
libcamlimages-ocaml_2.20-8+etch2_i386.deb
  to pool/main/c/camlimages/libcamlimages-ocaml_2.20-8+etch2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 540146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated camlimages package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 08 Aug 2009 09:54:48 +0200
Source: camlimages
Binary: libcamlimages-ocaml libcamlimages-ocaml-doc libcamlimages-ocaml-dev
Architecture: source i386 all
Version: 2.20-8+etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 libcamlimages-ocaml - OCaml image processing library
 libcamlimages-ocaml-dev - OCaml image processing library
 libcamlimages-ocaml-doc - OCaml CamlImages library documentation
Closes: 540146
Changes: 
 camlimages (2.20-8+etch2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Expand patch to also cover integer overflows in jpegread.c and
     gifread.c (Closes: #540146)
     Fixes: CVE-2009-2660
Files: 
 9dc39921e9569777eeb24c38b0ba0fae 904 devel optional camlimages_2.20-8+etch2.dsc
 cf4767d4ac5521e64b409605f3803506 9346 devel optional camlimages_2.20-8+etch2.diff.gz
 16d54539aab49f9f6c7cc5a8fe7bbf92 600500 doc optional libcamlimages-ocaml-doc_2.20-8+etch2_all.deb
 2a25218e9ad03594f8c22f884e850cff 24594 libs optional libcamlimages-ocaml_2.20-8+etch2_i386.deb
 a4abd61aa97cfb9996e0641c9ed9f378 845868 libdevel optional libcamlimages-ocaml-dev_2.20-8+etch2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp9MPEACgkQ62zWxYk/rQfsWwCghE4wmjRYQ7+0FfN0FV4Ye/mE
6eEAnizf7yT0sBDfKtYt1KOwp2IyZw9G
=jqun
-----END PGP SIGNATURE-----

--- End Message ---