[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#442247: marked as done (CVE-2007-4840 multiple errors in iconv function)

Your message dated Wed, 21 Nov 2007 22:49:27 +0000
with message-id <E1IuyNr-0002HE-Fm@ries.debian.org>
and subject line Bug#442250: fixed in glibc 2.7-0exp9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: php5
Severity: minor
Tags: security

a CVE has been issued against your package.
PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of
service (application crash) via (1) a long string in the out_charset parameter
to the iconv function; or a long string in the charset parameter to the (2)
iconv_mime_decode_headers, (3) iconv_mime_decode, or (4) iconv_strlen function.
NOTE: this might not be a vulnerability in most web server environments that
support multiple threads, unless these issues can be demonstrated for code

Please include the CVE id in the changelog if you fix this bug.

This should be a minor bug since it is not really exploitable in most

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4840

Kind regards
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpVxjQEQAfmb.pgp
Description: PGP signature

--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.7-0exp9

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive:

  to pool/main/g/glibc/glibc-doc_2.7-0exp9_all.deb
  to pool/main/g/glibc/glibc_2.7-0exp9.diff.gz
  to pool/main/g/glibc/glibc_2.7-0exp9.dsc
  to pool/main/g/glibc/libc6.1-alphaev67_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libc6.1-dbg_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libc6.1-dev_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libc6.1-pic_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libc6.1-prof_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libc6.1-udeb_2.7-0exp9_alpha.udeb
  to pool/main/g/glibc/libc6.1_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/libnss-dns-udeb_2.7-0exp9_alpha.udeb
  to pool/main/g/glibc/libnss-files-udeb_2.7-0exp9_alpha.udeb
  to pool/main/g/glibc/locales-all_2.7-0exp9_alpha.deb
  to pool/main/g/glibc/locales_2.7-0exp9_all.deb
  to pool/main/g/glibc/nscd_2.7-0exp9_alpha.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 442250@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sun, 18 Nov 2007 22:11:35 +0100
Source: glibc
Binary: libc0.1-prof libc6.1-alphaev67 libc6-dev-amd64 locales-all libc6-i686 libc6-dev-ppc64 libc0.3-pic glibc-doc libc0.3 libc6-dev-mipsn32 libc0.1-i686 libc0.1-i386 libc6-mips64 libc6.1-dev libc6-s390x libnss-files-udeb libc0.1-dev-i386 libc6-dev-sparc64 libc6-i386 libc0.3-dev libc6-udeb libc6-dbg libc6.1-pic libc6-dev libc0.3-prof libc0.1-udeb libc6-dev-i386 libc6.1-prof libc6-mipsn32 libc0.1-dev locales libc6-pic libc0.3-udeb libc6-dev-powerpc libc0.1-pic libc6-ppc64 libc0.3-dbg libc0.1-dbg libc6-amd64 libc0.1 libc6-prof libc6-xen libc6-dev-mips64 libc6-powerpc libc6 libc6-sparcv9b libc6.1-udeb libc6.1-dbg nscd libc6-sparc64 libnss-dns-udeb libc6.1 libc6-dev-s390x
Architecture: source alpha all
Version: 2.7-0exp9
Distribution: experimental
Urgency: low
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
 glibc-doc  - GNU C Library: Documentation
 libc6.1    - GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: Libraries with debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-prof - GNU C Library: Profiling Libraries
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 229251 442250 442568 443460 443660 444145 444580 445631 447221 447328 447866 447928 448248 448508 448796 448928 449193 449198 451304
 glibc (2.7-0exp9) experimental; urgency=low
   [ Clint Adams ]
   * New upstream release with linuxthreads snapshot.
     - Fixes an ABBA deadlock in ld.so.  Closes: #443460.
     - Render dgettext" thread safe.  Closes: #443660.
     - Fixes CVE-2007-4840 (multiple errors in iconv
       function).  Closes: #442250.
     - Remove localedata/locale-de_CH.diff (merged).
     - Update locale/fix-LC_COLLATE-rules.diff.
     - Update locale/LC_COLLATE-keywords-ordering.diff.
     - Update locale/fix-C-first_weekday.diff.
     - Update locale/preprocessor-collate.diff.
     - Update localedata/locales-fr.diff.
     - Remove localedata/locale-sa_IN.diff (merged).
     - Remove localedata/locale-wo_SN.diff (merged).
     - Update localedata/tailor-iso14651_t1.diff.
     - Add localedata/tailor-iso14651_t1-common.diff.
     - Remove localedata/fix-unknown-symbols.diff (merged).
     - Update localedata/first_weekday.diff.
     - Add localedata/cs_CZ-first_weekday.diff.
     - Add localedata/da_DK-first_weekday.diff.
     - Add localedata/pl_PL-first_weekday.diff.
     - Add localedata/de_DE-first_weekday.diff.
     - Add localedata/en_GB-first_weekday.diff.
     - Add localedata/en_US-first_weekday.diff.
     - Add localedata/et_EE-first_weekday.diff.
     - Add localedata/fr_BE-first_weekday.diff.
     - Add localedata/fr_CA-first_weekday.diff.
     - Add localedata/fr_CH-first_weekday.diff.
     - Add localedata/fr_FR-first_weekday.diff.
     - Add localedata/fr_LU-first_weekday.diff.
     - Add localedata/hu_HU-first_weekday.diff.
     - Add localedata/nb_NO-first_weekday.diff.
     - Add localedata/nn_NO-first_weekday.diff.
     - Add localedata/sk_SK-first_weekday.diff.
     - Add localedata/cy_GB-first_weekday.diff.
     - Update localedata/sort-UTF8-first.diff.
     - Remove localedata/submitted-as_IN.diff (merged).
     - Remove hppa/submitted-multiple-threads.diff (merged).
     - Remove hppa/submitted-ustat.diff (merged).
     - Remove hurd-i386/cvs-sigsuspend-nocancel.diff (merged).
     - Remove hurd-i386/cvs-lock-intern.diff (merged).
     - Remove sparc/local-undefined-registers.diff (obsolete).
     - Remove all/local-pt_BR.diff (merged).
     - Remove any/cvs-ld_library_path.diff (merged).
     - Remove any/cvs-initfini.diff (merged).
     - Remove any/cvs-posix-glob.diff (merged).
     - Update any/local-bashisms.diff.
     - Remove any/local-forward-backward-collation.diff (merged).
     - Remove any/local-version-sanity.diff (merged).
     - Remove any/submitted-strtok.diff (merged).
     - Remove any/submitted-regex-collate.diff (merged).
     - Remove localedata/locale-no_NO.diff (obsolete).
     - Update localedata/supported.diff.
   * Bump shlib version to 2.7-1.
   * Add localedata/cvs-locale-ig_NG.diff BZ#5224, missing collation symbols
     for ig_NG.
   * Add localedata/cvs-locale-lo_LA.diff BZ#5237, missing collation symbols
     for lo_LA.
   * Add localedata/cvs-locale-ug_CN.diff BZ#5238, missing collation symbols
     for ug_CN.
   [ Aurelien Jarno ]
   * kfreebsd/local-sysdeps.diff: update to revision 2029 (from glibc-bsd).
   * any/submitted-longdouble.diff: update.
   * Improve any/submitted-rfc3484-sortv4.diff.
   * Update hurd-i386/submitted-trivial.diff.
   * any/local-strfry.diff: new patch to fix strfry(), as Ulrich Drepper
     has still not managed to commit a correct version.
   * Remove hppa/submitted-threaddb.diff (merged).
   * Update hppa/submitted-nptl-carlos.diff.
   * Update hurd-i386/submitted-libc_once.diff.
   * Remove hurd-i386/cvs-ioctl-delay.diff (merged).
   * Update hurd-i386/local-tls-support.diff.
   * Add hurd-i386/cvs-kernel-features.diff: provide almost empty
     kernel-features.h for files that include it.
   * Add arm/local-args6.diff: provide DOCARGS_6 and UNDOCARGS_5 for
     arm old-abi.
   * Add arm/local-lowlevellock.diff: new patch to fix build on arm.
   * debian/rules, debian/rules.d/build.mk: allow per architecture
   * sysdeps/arm.mk, sysdeps/armel.mk, sysdeps/hppa.mk, sysdeps/s390.mk,
     sysdeps/sh4.mk: define TIMEOUTFACTOR.
   * locales-depver: tighten locales dependencies.
   * any/local-disable-test-tgmath2.diff: new patch to disable test-tgmath2,
     which take too much resources during compilation.
   * Add hurd-i386/submitted-strtoul.diff: new patch to use
     __strtoul_internal() instead of strtoul() in internal functions.
   * Add hurd-i386/submitted-ptr-mangle.diff: new patch to define PTR_MANGLE
     and PTR_DEMANGLE.
   * Update Galician debconf translation, by Jacobo Tarrio.  Closes: #447928.
   * Update Dutch debconf translation, by Bart Cornelis.  Closes: #448928.
   * Add sh4/local-fpscr_values.diff and any/local-allocalim-header.diff
     from Arthur Loiret.  Closes: #448248.
   * Fix encoding of Japanese translation.  Closes: #447221.
   * Add any/submitted-sched_h.diff: new patch to define `__CPU_ALLOC_SIZE.
   * Add mips/local-setjmp.diff: new patch to fix g++ tests on mips/mipsel.
   * Add any/local-fhs-nscd.diff: move nscd directory to /var/cache/nscd from
     /var/db/nscd.  Closes: #449198.
   * debhelper.in/nscd.postrm: remove /var/cache/nscd on purge.  Closes:
   * script.in/kernelcheck.sh, sysdeps/alpha.mk: bump minimum kernel version to
     2.6.9 for alpha.
   * script.in/kernelcheck.sh, sysdeps/sh4.mk: bump minimum kernel version to
     2.6.11 for sh4.
   * debian/patches/arm/local-eabi-wchar.diff: new patch from Riku Voipio to
     fiw WCHAR_MIN and WCHAR_MAX definitions on armel.  Closes: #444580.
   * debian/po/zh_CN.po: update from LI Daobing. Closes: #447866.
   * debhelper.in/locales-all.postinst: trap exit signal and remove temporary
     directory.  Closes: #447328.
   * debhelper.in/libc.NEWS: mention that the tzconfig script has been replaced
     by the maintainer scripts of tzdata.  Closes: bug#448796.
   * patches/all/local-alias-et_EE.diff: switch estonian locales alias to
   * patches/alpha/submitted-fpu-round.diff: restore the old version of
     ceil/floor/rint functions.  Closes: #442568.
   * patches/alpha/local-dl-procinfo.diff: new patch to add platform
     capabilities support on alpha.
   * Add an ev67 flavour on alpha:  Closes: #229251
     - control.in/opt: add libc6-alphaev67 packages.
     - sysdeps/alpha.mk: add a new pass for ev67 flavour.
   * debian/local/manpages/iconv.1: document //translit and //ignore
     options.  Closes: #451304.
   * debian/local/manpages/getent.1: document exit codes.  Closes:
   * debian/local/manpages/ld.so.8: document $ORIGIN, $PLATFORM and $LIB
     features.  Closes: #444145.
   [ Petr Salinger]
   * any/local-linuxthreads-unwind.diff: provide unwind-resume routine for
   * any/local-stdio-lock.diff: make _IO_*_lock linuxthreads compliant.
   * any/local-o_cloexec.diff: don't assume O_CLOEXEC is always defined.
   * any/local-linuxthreads-signals.diff: always use non-RT signal handler
     on GNU/kFreeBSD.
   [ Pierre Habouzit ]
   * Remove any/local-iconv-fix-trampoline.diff (obsolete).
   * Remove any/submitted-strfry.diff (merged).
   * Update any/submitted-rfc3484-sortv4.diff.
   * Update localedata/*first_weekday.diff.
   * Remove localedata/fix-am_ET.diff (obsolete).
   * Add locale/preprocessor-collate-uli-sucks.diff to revert Ulrich's
     preprocessor that isn't enough for Debian.
   * Update patches/locale/preprocessor-collate.diff.
   * Add alpha/submitted-PTR_MANGLE.diff (Closes: #448508).
   [ Samuel Thibault ]
   * hurd-i386/submitted-ptr-mangle.diff: Define PTR_MANGLE for assembly.
 a5d06d459ece744e00abf72a7579f74e 2080 libs required glibc_2.7-0exp9.dsc
 c186e9194eff62ed85ec0e80332482dd 673154 libs required glibc_2.7-0exp9.diff.gz
 1b95e62c7af7ed5a9345539eef4f0da5 1622848 doc optional glibc-doc_2.7-0exp9_all.deb
 f9777e15307ae0344425722a374dece7 4487518 libs standard locales_2.7-0exp9_all.deb
 32da6d4e7e90048b137e82c0d1e33082 5175550 libs required libc6.1_2.7-0exp9_alpha.deb
 29a8f03cde9c51b88dbcade690585267 3022538 libdevel optional libc6.1-dev_2.7-0exp9_alpha.deb
 2f51e60ad3b1e390f14cd118ff6e9b12 2482288 libdevel extra libc6.1-prof_2.7-0exp9_alpha.deb
 f0e957a3c165e1ac8cb90ac6176ae348 1760284 libdevel optional libc6.1-pic_2.7-0exp9_alpha.deb
 6d295999145edacfd67b86f57d3a41a5 2774844 libs extra locales-all_2.7-0exp9_alpha.deb
 453ebad41012dcdda888416b058b6b14 1556180 libs extra libc6.1-alphaev67_2.7-0exp9_alpha.deb
 daca2587e27785ef471feb7921e072ce 169898 admin optional nscd_2.7-0exp9_alpha.deb
 7a3d73b4e5b98d651630b4be0b810796 5618922 libdevel extra libc6.1-dbg_2.7-0exp9_alpha.deb
 4bde0e314bf397b7c5ac46d9d380491f 1263398 debian-installer extra libc6.1-udeb_2.7-0exp9_alpha.udeb
 7caa00e624a592f6f439e446bd5aae96 10614 debian-installer extra libnss-dns-udeb_2.7-0exp9_alpha.udeb
 cc9b7cb8b9bc15a0953779757600e7dd 18302 debian-installer extra libnss-files-udeb_2.7-0exp9_alpha.udeb
Package-Type: udeb

Version: GnuPG v1.4.6 (GNU/Linux)


--- End Message ---

Reply to: