Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)

To: Mehdi Dogguy <mehdi@debian.org>
Subject: Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 18 Feb 2015 21:24:40 +0000
Message-id: <[🔎] handler.768945.D768945.14242944191941.ackdone@bugs.debian.org>
References: <E1YOC2a-0002T9-4E@franck.debian.org> <20141110105759.26128.19795.reportbug@gandalf.local>

Your message dated Wed, 18 Feb 2015 21:20:16 +0000
with message-id <E1YOC2a-0002T9-4E@franck.debian.org>
and subject line Bug#768945: fixed in busybox 1:1.22.0-9+deb8u1
has caused the Debian Bug report #768945,
regarding busybox lzo implementation suffers from CVE-2014-4607 flaw
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768945
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: busybox lzo implementation suffers from CVE-2014-4607 flaw

From: Michael Tokarev <mjt@tls.msk.ru>

Date: Mon, 10 Nov 2014 13:57:59 +0400

Message-id: <20141110105759.26128.19795.reportbug@gandalf.local>
Source: busybox
Version: 1:1.22.0-5
Severity: serious
Tags: security patch upstream fixed-upstream

Busybox embeds mini-lzo library implementation which suffers
from CVE-2014-4607 -- integer overflow with memory corruption
potential and a risk of (remote) code execution, see
http://www.openwall.com/lists/oss-security/2014/06/26/20 for
details.

This flaw has been fixed in busybox upstream in commit
a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3.

/mjt
--- End Message ---

--- Begin Message ---

To: 768945-close@bugs.debian.org
Subject: Bug#768945: fixed in busybox 1:1.22.0-9+deb8u1
From: Mehdi Dogguy <mehdi@debian.org>
Date: Wed, 18 Feb 2015 21:20:16 +0000
Message-id: <E1YOC2a-0002T9-4E@franck.debian.org>

Source: busybox
Source-Version: 1:1.22.0-9+deb8u1

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768945@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mehdi Dogguy <mehdi@debian.org> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 17 Feb 2015 18:29:33 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-9+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Mehdi Dogguy <mehdi@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 768945
Changes:
 busybox (1:1.22.0-9+deb8u1) jessie; urgency=medium
 .
   * Non-maintainer upload.
   * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
Checksums-Sha1:
 90923b14cd66e29dde458de8c9e045ffbd92f81a 2225 busybox_1.22.0-9+deb8u1.dsc
 5b2a9a78153649e2de916b593a346781260e81a5 55332 busybox_1.22.0-9+deb8u1.debian.tar.xz
 6179308501e9b63868ee9b3180aca6ed225d6739 391274 busybox_1.22.0-9+deb8u1_amd64.deb
 b46db401c9735e0717f68c7e35c0e5b8284211d0 840630 busybox-static_1.22.0-9+deb8u1_amd64.deb
 016f8ff3d25b4beb6f980fe00157a9f4aa1b4164 175090 busybox-udeb_1.22.0-9+deb8u1_amd64.udeb
 0831ffaec31bbb4b5f2dd6cc8920ad97877c1ea9 23382 busybox-syslogd_1.22.0-9+deb8u1_all.deb
 ea00f633101df4283e0b85c0368f91b3a8a2b0ae 21478 udhcpc_1.22.0-9+deb8u1_amd64.deb
 257f1f2f0415e1cd8081a8a9f13d6f45ada9b046 24242 udhcpd_1.22.0-9+deb8u1_amd64.deb
Checksums-Sha256:
 8499da25792de43f8a25a10ce4fa5ef4e08654a6d54089840f66d1d172f9afa3 2225 busybox_1.22.0-9+deb8u1.dsc
 fbf24cd6d7b51003dbe06b897286feaccc94850a135a45e65ecdcb7a095974ef 55332 busybox_1.22.0-9+deb8u1.debian.tar.xz
 0bd42544ed2a92c4d298431364de4c22ffa1db2517b8f8dc539f74a385956a99 391274 busybox_1.22.0-9+deb8u1_amd64.deb
 83d809a22d765e52390c0bc352fe30e9d1ac7c82fd509e0d779d8289bfc8a53d 840630 busybox-static_1.22.0-9+deb8u1_amd64.deb
 8fc4ecc2955d128106aedf8c4b64414636c840c7c384db139946eb649cb150db 175090 busybox-udeb_1.22.0-9+deb8u1_amd64.udeb
 99a99d4241297fe97e8e97433bc965e729b95526f3ea8ee0f38512fa627d90e3 23382 busybox-syslogd_1.22.0-9+deb8u1_all.deb
 ce05c5cd4179c1e36fd33592932cba006b0db3d2f906f295f89c92116b2d9cb0 21478 udhcpc_1.22.0-9+deb8u1_amd64.deb
 94e38d4d084dc0b951e0fcb5f7b6b51752dd38182748d4c382409dce171ff2f7 24242 udhcpd_1.22.0-9+deb8u1_amd64.deb
Files:
 6053856ca2acfae9d17f5aecb7a5dc9b 2225 utils optional busybox_1.22.0-9+deb8u1.dsc
 564888c8f8be761049247c88a4cad294 55332 utils optional busybox_1.22.0-9+deb8u1.debian.tar.xz
 7cadb8ed0c8219b147bc41f9f6cc5e00 391274 utils optional busybox_1.22.0-9+deb8u1_amd64.deb
 276477baa2cf3671287c52834d838458 840630 shells extra busybox-static_1.22.0-9+deb8u1_amd64.deb
 fb6b1d25ae1fa5d64e8ed1b10950999d 175090 debian-installer extra busybox-udeb_1.22.0-9+deb8u1_amd64.udeb
 b0b9b2888bc4609888d0db3f5be3a67d 23382 utils optional busybox-syslogd_1.22.0-9+deb8u1_all.deb
 29d12ad4bfb1b175ff50fcd5e19d22f3 21478 net optional udhcpc_1.22.0-9+deb8u1_amd64.deb
 0a809982a286d002cb73d3d33beba58d 24242 net optional udhcpd_1.22.0-9+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU5QAEAAoJEDO+GgqMLtj/KjYQAIHcGDEYPkbXG7YpLTg6rcAx
TPc8HE9AQ4qoKUzxCs4VOvB9IDB88zUbXGnOZPXCOJ4TTnmFz7mKIOMQw0COxk5E
GyO1rtdb8nnXpd6/iLhaiqSbNsUhy55hopwBRyqErZwFuh8HllGrLi5qr1dB/3Sm
96baeiiDgbaSplyzERrhdZWVzSE4q7JDTGbRrBbKyhqFItlVxumQkuj2yws5KrGT
T4rO1kMcZUBqicYUKZ/2hYH8HpsNZ0NPlc8HkhDfuou42qClcqAN7FmBWsG542P3
HORs1dDRTQg8uSaQUnRGzAkatwUOdnOjRf7BUKU4qwo2qjebEZ5eyJZEiv1bhdnc
4z6QwO0DM2YOIWKvjJHaXwTXRUyrHmlj82pon38iddh8OD7AUsRsb+JidtYu5upI
3crJep9sAypS3ZYcK7STpXFP5uAiQ3XMhA0uJVBWOsQEC41y0Ylnx5lkxOMJAmIQ
m7IBf8ZHxGtOQZ+KXCBqgUhuKGmGXHMIAPBYk2Ap2f4vdwyiUnAJGnfEQxgJ+jfb
HuJLqx4QUJYn0YaQp/k2mo55h2K4mh7tckOxKl7EKRmCjgraHFyF4qAKvyD9feEC
EoBjNmjLjeW1fH01XM3SzLiQZuajgG32hRGErDDz8LSFMMkGxAJESSa21fnoinON
CkyFJ0x3DYT+ZMd54gHA
=UBGk
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#768188: Jessie Installer hangs after processing DHCPv6 stateful addressing
Next by Date: Bug#768188: Jessie Installer hangs after processing DHCPv6 stateful addressing
Previous by thread: Re: Bug#771208: unblock: busybox/1:1.22.0-14
Next by thread: Processing of busybox_1.22.0-9+deb8u1_amd64.changes
Index(es):
- Date
- Thread