Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)
Your message dated Tue, 11 Nov 2014 15:19:44 +0000
with message-id <E1XoDEO-0007ww-Tx@franck.debian.org>
and subject line Bug#768945: fixed in busybox 1:1.22.0-10
has caused the Debian Bug report #768945,
regarding busybox lzo implementation suffers from CVE-2014-4607 flaw
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
768945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768945
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: busybox
Version: 1:1.22.0-5
Severity: serious
Tags: security patch upstream fixed-upstream
Busybox embeds mini-lzo library implementation which suffers
from CVE-2014-4607 -- integer overflow with memory corruption
potential and a risk of (remote) code execution, see
http://www.openwall.com/lists/oss-security/2014/06/26/20 for
details.
This flaw has been fixed in busybox upstream in commit
a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3.
/mjt
--- End Message ---
--- Begin Message ---
Source: busybox
Source-Version: 1:1.22.0-10
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 768945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 11 Nov 2014 17:07:34 +0300
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-10
Distribution: unstable
Urgency: high
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
busybox - Tiny utilities for small and embedded systems
busybox-static - Standalone rescue shell with tons of builtin utilities
busybox-syslogd - Provides syslogd and klogd using busybox
busybox-udeb - Tiny utilities for the debian-installer (udeb)
udhcpc - Provides the busybox DHCP client implementation
udhcpd - Provides the busybox DHCP server implementation
Closes: 768926 768945
Changes:
busybox (1:1.22.0-10) unstable; urgency=high
.
* lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
* add Built-Using control field for -static, deriving it from
regular build (this will be glibc) (Closes: #768926)
* install only arch/indep deb as requested by binary-arch or binary-indep
target. This fixes a long-standing lintian error, when package build
alway produces busybox-syslogd package which is arch:all and should not
be built on a buildd.
Checksums-Sha1:
2f5d25962e8564b4f31e20fedb94f5b07baf0339 1870 busybox_1.22.0-10.dsc
f5d5d0b0ac41341b9fdbbfba8daa81f6f3e671ce 55644 busybox_1.22.0-10.debian.tar.xz
7d9d4759307263dbe21a33c095f7e2eb0086b962 391522 busybox_1.22.0-10_amd64.deb
67ea307687439f888f1d2584d0ff5aaa238d3747 840786 busybox-static_1.22.0-10_amd64.deb
149d93d360781e3b6bb41b52fd53ecef1bb84d8b 175074 busybox-udeb_1.22.0-10_amd64.udeb
94c23a29697cf0b89f8e3c30522f8ba23654fe66 23476 busybox-syslogd_1.22.0-10_all.deb
59f788ea4bc0d385c0e4d4ac388beccc6ca2d09d 21596 udhcpc_1.22.0-10_amd64.deb
a3a44f22ca0a7df00346695ce0dd3be1d45071b4 24352 udhcpd_1.22.0-10_amd64.deb
Checksums-Sha256:
9641bf2cc6267457a2456bc7f248d0575e5e24a0d0f69a10f41e450bbf6a3b56 1870 busybox_1.22.0-10.dsc
d61956caf82b5d5396d1eca1323396080204defe952d62255c503680a72b2637 55644 busybox_1.22.0-10.debian.tar.xz
e9180a03b06c83fffb3d14dea1d9b3427b32d6fe8815a65e5f48e69553b5273a 391522 busybox_1.22.0-10_amd64.deb
79930fcc8ce8b1a8fe59fb0f241e17078a65a86867d5c1398e97db6997f474fa 840786 busybox-static_1.22.0-10_amd64.deb
4ef5f7a8aa2fad9b2780fc06f38b0749c12fc4c45f178aae5cd9778fe0eb417d 175074 busybox-udeb_1.22.0-10_amd64.udeb
15be79b616b9e2a7a520611b1850726668aeed1b32f25c9c0f567f3526630a54 23476 busybox-syslogd_1.22.0-10_all.deb
ace82fa18c8452f10569e3d59b004c9a847c39ebc2537b320f0c8157b9e98fe8 21596 udhcpc_1.22.0-10_amd64.deb
89480d4b62ac2c3b622f624c1863b15fa91ec6309056f7a3a295b9138d42988c 24352 udhcpd_1.22.0-10_amd64.deb
Files:
f999e038a5d17947a8fe09ece2494426 1870 utils optional busybox_1.22.0-10.dsc
7d800cd98e4605fcb14b04d9cb2430e8 55644 utils optional busybox_1.22.0-10.debian.tar.xz
22a6810630ec3a9dbb214a94266496c4 391522 utils optional busybox_1.22.0-10_amd64.deb
776d6ef3f7af401a5c6d6b2ac94403ea 840786 shells extra busybox-static_1.22.0-10_amd64.deb
f1bcd4fc1c180ba9fa1a41fd3e00bdcb 175074 debian-installer extra busybox-udeb_1.22.0-10_amd64.udeb
ce9773918405a05417bb185cdd3bd70a 23476 utils optional busybox-syslogd_1.22.0-10_all.deb
06dbb1502f8b88790353187923dc5801 21596 net optional udhcpc_1.22.0-10_amd64.deb
69da63121b21f3c54c73b7340c3d8abd 24352 net optional udhcpd_1.22.0-10_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUYhj+AAoJEL7lnXSkw9fbAXIH/2KfGBDvOgcYwl9JJ6tDtlhA
Y5mUjapJZ/qrszj2HFbuywuiHtfNf0MJKmeaQ6AiW6o7O7OmvMjn+y1a60dG5g3y
W1n73FLbZmNKA/9/OdVVXtxigBNr6rlJ6jEL5q5to7YaSqF66o3gszDrdXkRNyb8
Kyk55vJEOI9L/EmW0dSFtpPSuu+HWq3vwiWEjX1CBnzqA3gKidLT3MUsbYhdCtI9
59a3zpbCH3jEloromD0sNZGOs9LgzF08yUa02lTViHDYQ2nE1Qjji0IMhswDJ014
MS9w/wDkX4ox7PjeY+1bQrswm4QkvqkzQ01PQqZvV0cEfKmzGKU6jCigdUSW6Jc=
=knhU
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: