Bug#550440: marked as done (advi: CVE-2009-2295 arbitrary code execution)
Your message dated Tue, 03 Nov 2009 16:17:14 +0000
with message-id <E1N5M4I-0001vI-VP@ries.debian.org>
and subject line Bug#550440: fixed in advi 1.6.0-15
has caused the Debian Bug report #550440,
regarding advi: CVE-2009-2295 arbitrary code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
550440: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550440
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: advi
Version: 1.6.0-12
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for camlimages. advi statically links to camlimages, so any
issues in that package are also applicable to advi. There were already
updates to camlimages for etch an lenny, so advi just needs to be
relinked using those new versions. Please coordinate these updates with
the security team.
CVE-2009-2295[0]:
| Multiple integer overflows in CamlImages 2.2 and earlier might allow
| context-dependent attackers to execute arbitrary code via a crafted
| PNG image with large width and height values that trigger a heap-based
| buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24
| function.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2295
http://security-tracker.debian.net/tracker/CVE-2009-2295
--- End Message ---
--- Begin Message ---
Source: advi
Source-Version: 1.6.0-15
We believe that the bug you reported is fixed in the latest version of
advi, which is due to be installed in the Debian FTP archive:
advi-examples_1.6.0-15_all.deb
to main/a/advi/advi-examples_1.6.0-15_all.deb
advi_1.6.0-15.diff.gz
to main/a/advi/advi_1.6.0-15.diff.gz
advi_1.6.0-15.dsc
to main/a/advi/advi_1.6.0-15.dsc
advi_1.6.0-15_amd64.deb
to main/a/advi/advi_1.6.0-15_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 550440@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stéphane Glondu <glondu@debian.org> (supplier of updated advi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Nov 2009 16:47:16 +0100
Source: advi
Binary: advi advi-examples
Architecture: source amd64 all
Version: 1.6.0-15
Distribution: unstable
Urgency: low
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Stéphane Glondu <glondu@debian.org>
Description:
advi - an active DVI previewer and presenter
advi-examples - example presentations for Active-DVI (advi)
Closes: 550440
Changes:
advi (1.6.0-15) unstable; urgency=low
.
* Switch to dh-ocaml 0.9
* debian/control:
- update my e-mail address, remove DMUA
- update Standards-Version to 3.8.3 (no changes)
* Recompile against recent camlimages (Closes: #550440)
- fixes CVE-2009-2295, CVE-2009-2660, CVE-2009-3296
Checksums-Sha1:
e3dfdf57601bfb40b6ad52f5108ca11bb4cd8fcf 2311 advi_1.6.0-15.dsc
b12ee1e3a008dced50f2ccc442cfbe859b779f49 52665 advi_1.6.0-15.diff.gz
09f4a71f441e1942cf6a89d703a49c60395cca61 1101558 advi_1.6.0-15_amd64.deb
77cb6534eb104317d44750d279a53e4c199117e0 3824516 advi-examples_1.6.0-15_all.deb
Checksums-Sha256:
8cd5ea95001c320d66906089cddcc4d83fa8f8b57449537cc13e7d4453ff1fba 2311 advi_1.6.0-15.dsc
c0a96b9e5357c43c86808fa543f99d7bd26ab0c2b05da2fd48ccc3cc75808109 52665 advi_1.6.0-15.diff.gz
cbcf507513d0bd69b45c846c87c479399b5cbbbc1b163f4f5d98fe78d69d78ff 1101558 advi_1.6.0-15_amd64.deb
412ac792a3e6dd34056ad62cdbb0bbcfa6f2801866956f0e75718c52b38cc46e 3824516 advi-examples_1.6.0-15_all.deb
Files:
fd5be522054fdacd80730ece28b7266d 2311 tex optional advi_1.6.0-15.dsc
183b594cabd3da4e0b2b37fbb2364b45 52665 tex optional advi_1.6.0-15.diff.gz
d999f5d33beb00bdf8aabd182c3f9442 1101558 tex optional advi_1.6.0-15_amd64.deb
84b8070db76df2d914d2b0aece129c77 3824516 tex optional advi-examples_1.6.0-15_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJK8FXlAAoJEHhT2k1JiBrTJnsP/3LT+PhPVS7ryRrvJbMXDZYt
S3153kSro3gssfPiODzGvgkc2/pNwwcJ89/yPoNvYZaMjaMCpxExAxG0cDcN7Rzp
ZqUX/CLDo9t8fXUhYPKlJdtryFZ0mzQ1c7kd3ZAuT/YtEZ7siBIqa9ItIjfM6qqg
fp5CmYES+oZTHR6smM5qoAZQFPVfDfBU7+Q4NdOIzCwQIZV0fpbXYu/GhaOOAQuA
q6BoY5m6cyVcJPKrSsneEatWOpo9t8kbC4AE01VTAvpVf/jAoL6GNtP4P/0TutSf
1D9rdP2vAgN9cMV8h/CvetNjRqfPtLdFvttvOGO1c9WpSUOYcO6j/2plbjXtF8YQ
hqYSss3rLsnb7HpNYjUSigfxBkRFWjJ3J/jbQPi7TiV1qGx+U/9C10hF1rmq61vZ
Gy/f5txf5Er6eJG44wSLFmhesr2u5wt6J00dJeij7m9hLk+H7+CJ6hFdcYjHYg9K
TTSVeQXcLUjhk9wQ6TSZHgTd/vuLdbfAX47ZdDn+370ZPbtQUV2tPk4MWPkW1Ost
+8lRR4oexwZajAZPEXdL7nLdn/Htrub7MF5W8mrwIag/TNjrHTEF9+XyYIBOgySx
dmNofvXDPjyFcigvsz40WxhoOG7PFJkyREdID+cNyO4eBPw1apZNCDyJLKw94WxV
D2faeU4NyVAySt3Rj5/M
=+53J
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: