[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)

Your message dated Tue, 11 Nov 2014 15:19:44 +0000
with message-id <E1XoDEO-0007ww-Tx@franck.debian.org>
and subject line Bug#768945: fixed in busybox 1:1.22.0-10
has caused the Debian Bug report #768945,
regarding busybox lzo implementation suffers from CVE-2014-4607 flaw
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

768945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768945
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: busybox
Version: 1:1.22.0-5
Severity: serious
Tags: security patch upstream fixed-upstream

Busybox embeds mini-lzo library implementation which suffers
from CVE-2014-4607 -- integer overflow with memory corruption
potential and a risk of (remote) code execution, see
http://www.openwall.com/lists/oss-security/2014/06/26/20 for

This flaw has been fixed in busybox upstream in commit


--- End Message ---
--- Begin Message ---
Source: busybox
Source-Version: 1:1.22.0-10

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA1

Format: 1.8
Date: Tue, 11 Nov 2014 17:07:34 +0300
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-10
Distribution: unstable
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 768926 768945
 busybox (1:1.22.0-10) unstable; urgency=high
   * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
   * add Built-Using control field for -static, deriving it from
     regular build (this will be glibc) (Closes: #768926)
   * install only arch/indep deb as requested by binary-arch or binary-indep
     target.  This fixes a long-standing lintian error, when package build
     alway produces busybox-syslogd package which is arch:all and should not
     be built on a buildd.
 2f5d25962e8564b4f31e20fedb94f5b07baf0339 1870 busybox_1.22.0-10.dsc
 f5d5d0b0ac41341b9fdbbfba8daa81f6f3e671ce 55644 busybox_1.22.0-10.debian.tar.xz
 7d9d4759307263dbe21a33c095f7e2eb0086b962 391522 busybox_1.22.0-10_amd64.deb
 67ea307687439f888f1d2584d0ff5aaa238d3747 840786 busybox-static_1.22.0-10_amd64.deb
 149d93d360781e3b6bb41b52fd53ecef1bb84d8b 175074 busybox-udeb_1.22.0-10_amd64.udeb
 94c23a29697cf0b89f8e3c30522f8ba23654fe66 23476 busybox-syslogd_1.22.0-10_all.deb
 59f788ea4bc0d385c0e4d4ac388beccc6ca2d09d 21596 udhcpc_1.22.0-10_amd64.deb
 a3a44f22ca0a7df00346695ce0dd3be1d45071b4 24352 udhcpd_1.22.0-10_amd64.deb
 9641bf2cc6267457a2456bc7f248d0575e5e24a0d0f69a10f41e450bbf6a3b56 1870 busybox_1.22.0-10.dsc
 d61956caf82b5d5396d1eca1323396080204defe952d62255c503680a72b2637 55644 busybox_1.22.0-10.debian.tar.xz
 e9180a03b06c83fffb3d14dea1d9b3427b32d6fe8815a65e5f48e69553b5273a 391522 busybox_1.22.0-10_amd64.deb
 79930fcc8ce8b1a8fe59fb0f241e17078a65a86867d5c1398e97db6997f474fa 840786 busybox-static_1.22.0-10_amd64.deb
 4ef5f7a8aa2fad9b2780fc06f38b0749c12fc4c45f178aae5cd9778fe0eb417d 175074 busybox-udeb_1.22.0-10_amd64.udeb
 15be79b616b9e2a7a520611b1850726668aeed1b32f25c9c0f567f3526630a54 23476 busybox-syslogd_1.22.0-10_all.deb
 ace82fa18c8452f10569e3d59b004c9a847c39ebc2537b320f0c8157b9e98fe8 21596 udhcpc_1.22.0-10_amd64.deb
 89480d4b62ac2c3b622f624c1863b15fa91ec6309056f7a3a295b9138d42988c 24352 udhcpd_1.22.0-10_amd64.deb
 f999e038a5d17947a8fe09ece2494426 1870 utils optional busybox_1.22.0-10.dsc
 7d800cd98e4605fcb14b04d9cb2430e8 55644 utils optional busybox_1.22.0-10.debian.tar.xz
 22a6810630ec3a9dbb214a94266496c4 391522 utils optional busybox_1.22.0-10_amd64.deb
 776d6ef3f7af401a5c6d6b2ac94403ea 840786 shells extra busybox-static_1.22.0-10_amd64.deb
 f1bcd4fc1c180ba9fa1a41fd3e00bdcb 175074 debian-installer extra busybox-udeb_1.22.0-10_amd64.udeb
 ce9773918405a05417bb185cdd3bd70a 23476 utils optional busybox-syslogd_1.22.0-10_all.deb
 06dbb1502f8b88790353187923dc5801 21596 net optional udhcpc_1.22.0-10_amd64.deb
 69da63121b21f3c54c73b7340c3d8abd 24352 net optional udhcpd_1.22.0-10_amd64.deb

Version: GnuPG v1.4.12 (GNU/Linux)


--- End Message ---

Reply to: