Bug#540146: marked as done (CVE-2009-2660: Multiple integer overflows)
Your message dated Fri, 04 Sep 2009 18:31:46 +0000
with message-id <E1MjdZa-00062P-Qs@ries.debian.org>
and subject line Bug#540146: fixed in camlimages 1:2.2.0-4+lenny2
has caused the Debian Bug report #540146,
regarding CVE-2009-2660: Multiple integer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
540146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2009-2660: Multiple integer overflows
- From: Giuseppe Iuculano <giuseppe@iuculano.it>
- Date: Thu, 06 Aug 2009 09:11:01 +0200
- Message-id: <20090806071101.11338.29949.reportbug@localhost>
Package: camlimages
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for camlimages.
CVE-2009-2660[0]:
| Multiple integer overflows in CamlImages 2.2 might allow
| context-dependent attackers to execute arbitrary code via images
| containing large width and height values that trigger a heap-based
| buffer overflow, related to (1) crafted GIF files (gifread.c) and (2)
| crafted JPEG files (jpegread.c), a different vulnerability than
| CVE-2009-2295.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2660
http://security-tracker.debian.net/tracker/CVE-2009-2660
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp6ggEACgkQNxpp46476ar1/gCfc/keILkLon57EJQMFCRtSlB4
NxQAn0yvAYKn3Cmg6YUGr1bX10Ju+wa/
=4KlA
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: camlimages
Source-Version: 1:2.2.0-4+lenny2
We believe that the bug you reported is fixed in the latest version of
camlimages, which is due to be installed in the Debian FTP archive:
camlimages_2.2.0-4+lenny2.diff.gz
to pool/main/c/camlimages/camlimages_2.2.0-4+lenny2.diff.gz
camlimages_2.2.0-4+lenny2.dsc
to pool/main/c/camlimages/camlimages_2.2.0-4+lenny2.dsc
libcamlimages-ocaml-dev_2.2.0-4+lenny2_i386.deb
to pool/main/c/camlimages/libcamlimages-ocaml-dev_2.2.0-4+lenny2_i386.deb
libcamlimages-ocaml-doc_2.2.0-4+lenny2_all.deb
to pool/main/c/camlimages/libcamlimages-ocaml-doc_2.2.0-4+lenny2_all.deb
libcamlimages-ocaml_2.2.0-4+lenny2_i386.deb
to pool/main/c/camlimages/libcamlimages-ocaml_2.2.0-4+lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 540146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated camlimages package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 08 Aug 2009 09:38:11 +0200
Source: camlimages
Binary: libcamlimages-ocaml libcamlimages-ocaml-dev libcamlimages-ocaml-doc
Architecture: source all i386
Version: 1:2.2.0-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
libcamlimages-ocaml - OCaml image processing library
libcamlimages-ocaml-dev - OCaml image processing library
libcamlimages-ocaml-doc - OCaml CamlImages library documentation
Closes: 540146
Changes:
camlimages (1:2.2.0-4+lenny2) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Expand patch to also cover integer overflows in jpegread.c and
gifread.c (Closes: #540146)
Fixes: CVE-2009-2660
Checksums-Sha1:
10ab5646bea418457420747192a3be4651c33a41 1704 camlimages_2.2.0-4+lenny2.dsc
69b01cacd66464aa8c7cedf484ab0e99ec9863fe 10276 camlimages_2.2.0-4+lenny2.diff.gz
cbabd12a3a284dd8340d96a45507db8fe8ca398d 601216 libcamlimages-ocaml-doc_2.2.0-4+lenny2_all.deb
bcc77e04c8103aec65dc10739797f828c4b349fc 27806 libcamlimages-ocaml_2.2.0-4+lenny2_i386.deb
ca6e5e7cb86ce81ec4961bee7db0202f4605d328 953792 libcamlimages-ocaml-dev_2.2.0-4+lenny2_i386.deb
Checksums-Sha256:
9eb28d9ac9e49599c6595782f7c3f1d4218631d061e6a1fc9994f9bd8e216447 1704 camlimages_2.2.0-4+lenny2.dsc
f2956f512267f496d75e0a940de44521cc9289b961dfb13439d8210d14f2f3ce 10276 camlimages_2.2.0-4+lenny2.diff.gz
e44a8d135005bba41ec77783a70b6f0768e0dcf84c7d06c278e262768fa910c9 601216 libcamlimages-ocaml-doc_2.2.0-4+lenny2_all.deb
563798cfb5081b7c187be654d732c5044921661d2ad6d164a607a5120b1ad944 27806 libcamlimages-ocaml_2.2.0-4+lenny2_i386.deb
f1c0f7c2dcbbf3624d850bdbdfcf2eed9f4254aa5ab69d5efcc14c6ea3be7e8e 953792 libcamlimages-ocaml-dev_2.2.0-4+lenny2_i386.deb
Files:
e31602e616bfb495c440e6ff2d4a8cc4 1704 devel optional camlimages_2.2.0-4+lenny2.dsc
9951858aae15e9eaeeeb8bda63ee49a2 10276 devel optional camlimages_2.2.0-4+lenny2.diff.gz
8c425e344795481cb0c7080b7a9bcf27 601216 doc optional libcamlimages-ocaml-doc_2.2.0-4+lenny2_all.deb
c70d399a74066ded2a200bce05f857ee 27806 libs optional libcamlimages-ocaml_2.2.0-4+lenny2_i386.deb
e9b7136b5706fce67e6ff199b6b85148 953792 libdevel optional libcamlimages-ocaml-dev_2.2.0-4+lenny2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp9MOsACgkQ62zWxYk/rQcGSACeMQsqZHrYdIwea9KrQy52AnrD
Y6YAn1AGJg48KvvmxwRHhZLoMCytIq4q
=twBo
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: