Bug#304465: marked as done (kdelibs4: Invalid calculation of PCX image properties possibly permits arbitrary code execution)
Your message dated Mon, 25 Apr 2005 23:32:23 -0400
with message-id <E1DQGoB-0001qY-00@newraff.debian.org>
and subject line Bug#304465: fixed in kdelibs 4:3.3.2-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Apr 2005 10:32:15 +0000
>From jmm@inutil.org Wed Apr 13 03:32:15 2005
Return-path: <jmm@inutil.org>
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLfAM-0004Ev-00; Wed, 13 Apr 2005 03:32:15 -0700
Received: from p54893e8f.dip.t-dialin.net ([84.137.62.143] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DLfAK-000161-WC
for submit@bugs.debian.org; Wed, 13 Apr 2005 12:32:13 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DLfAG-0001wx-OQ; Wed, 13 Apr 2005 12:32:08 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kdelibs4: Invalid calculation of PCX image properties possibly permits
arbitrary code execution
X-Mailer: reportbug 3.9
Date: Wed, 13 Apr 2005 12:32:08 +0200
Message-Id: <E1DLfAG-0001wx-OQ@localhost.localdomain>
X-SA-Exim-Connect-IP: 84.137.62.143
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kdelibs4
Severity: grave
Tags: security
Justification: user security hole
Invalid range checking in PCX header parsing possibly permits execution
of arbitrary code. Please see http://bugs.kde.org/show_bug.cgi?id=102328
for a full description, a crafted test image and a patch from Waldo Bastian
(so there's probably a pending KDE security advisory).
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
---------------------------------------
Received: (at 304465-close) by bugs.debian.org; 26 Apr 2005 03:53:33 +0000
>From katie@ftp-master.debian.org Mon Apr 25 20:53:33 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DQH8e-0006yB-00; Mon, 25 Apr 2005 20:53:33 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DQGoB-0001qY-00; Mon, 25 Apr 2005 23:32:23 -0400
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 304465-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#304465: fixed in kdelibs 4:3.3.2-5
Message-Id: <E1DQGoB-0001qY-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 25 Apr 2005 23:32:23 -0400
Delivered-To: 304465-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: kdelibs
Source-Version: 4:3.3.2-5
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-bin_3.3.2-5_i386.deb
to pool/main/k/kdelibs/kdelibs-bin_3.3.2-5_i386.deb
kdelibs-data_3.3.2-5_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.3.2-5_all.deb
kdelibs4-dev_3.3.2-5_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-5_i386.deb
kdelibs4-doc_3.3.2-5_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-5_all.deb
kdelibs4_3.3.2-5_i386.deb
to pool/main/k/kdelibs/kdelibs4_3.3.2-5_i386.deb
kdelibs_3.3.2-5.diff.gz
to pool/main/k/kdelibs/kdelibs_3.3.2-5.diff.gz
kdelibs_3.3.2-5.dsc
to pool/main/k/kdelibs/kdelibs_3.3.2-5.dsc
kdelibs_3.3.2-5_all.deb
to pool/main/k/kdelibs/kdelibs_3.3.2-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 304465@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 22 Apr 2005 11:21:11 -0400
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 301971 304465
Changes:
kdelibs (4:3.3.2-5) unstable; urgency=medium
.
+++ Changes by Christopher Martin:
.
* KDE_3_3_BRANCH update. Includes fixes for CAN-2005-1046, a series of
vulnerabilities involving improper input validation for image files,
potentially resulting in arbitrary code execution. (Closes: #304465)
.
* Add GFDL to debian/copyright.
.
* Add another kaccel patch that fixes non-English keyboards on
SunRay terminals. Thanks to Nikita Youshchenko. (Closes: #301971)
Files:
302d5be112caad72df4ee219b471033e 1302 libs optional kdelibs_3.3.2-5.dsc
6e6cc22ea66e784da55d64fffed9cd99 402866 libs optional kdelibs_3.3.2-5.diff.gz
dcd0c521a4681f6560afafb06f628f3d 863424 libs optional kdelibs-bin_3.3.2-5_i386.deb
4b316b6e243d43dc6895b92f910e877d 8202038 libs optional kdelibs4_3.3.2-5_i386.deb
eb6e3a32dab1a3010ba71ab8d6cb6941 1239838 libdevel optional kdelibs4-dev_3.3.2-5_i386.deb
1d8d240dfde8fed60157b8da61730bcd 27608 kde optional kdelibs_3.3.2-5_all.deb
bcd465f6de994d1512b518ec53514346 7093826 libs optional kdelibs-data_3.3.2-5_all.deb
6859715d1f014bd1ad337a85e3e3f7ab 11531790 doc optional kdelibs4-doc_3.3.2-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>
iD8DBQFCbTTAQET2GFTmct4RAv5bAJ9X6C8V+E+SN86od6prJKO6ilYPbACffW+7
u3+ocxx4I/d5qBnYNR3o0js=
=8ue0
-----END PGP SIGNATURE-----
Reply to: