Bug#382511: marked as done (libwmf0.2-7: Multiple vulnerabilities in embedded libgd2 copy)

To: Loic Minier <lool@dooz.org>
Subject: Bug#382511: marked as done (libwmf0.2-7: Multiple vulnerabilities in embedded libgd2 copy)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 21 Mar 2007 10:21:03 +0000
Message-id: <[🔎] handler.382511.D382511.11744723689630.ackdone@bugs.debian.org>
References: <E1HTxsN-0002Hd-Cm@ries.debian.org> <20060811150330.GJ5244@piware.de>

Your message dated Wed, 21 Mar 2007 10:17:03 +0000
with message-id <E1HTxsN-0002Hd-Cm@ries.debian.org>
and subject line Bug#382511: fixed in libwmf 0.2.8.4-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian BTS Submit <submit@bugs.debian.org>
Subject: libwmf0.2-7: Multiple vulnerabilities in embedded libgd2 copy
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Fri, 11 Aug 2006 17:03:30 +0200
Message-id: <20060811150330.GJ5244@piware.de>

Package: libwmf
Version: 0.2.8.4-2
Severity: important
Tags: security patch

Hi!

libwmf contains an ancient (2001!) copy of libgd2, which is vulnerable
against CVE-2004-0941, CVE-2004-0990 (integer overflows which can be
exploited for arbitrary code execution with crafted PNGs) and
CVE-2006-2906 (DoS with crafted GIFs).

I did not verify whether these can be exploited through libwmf,
therefore I did not set this to 'grave'. However, this should be fixed
just to be on the safe side. Original libgd2 patches:

  http://people.ubuntu.com/patches/libgd2.CVE-2004-0941_0990.diff
  http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff

The best solution would be to build against the system libgd2 and
ignore the code copy completely. This avoids code copies (which are
*VERY* *VERY* hard to find), and thus such vulnerabilities, at all.

Thank you for considering,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 382511-close@bugs.debian.org
Subject: Bug#382511: fixed in libwmf 0.2.8.4-5
From: Loic Minier <lool@dooz.org>
Date: Wed, 21 Mar 2007 10:17:03 +0000
Message-id: <E1HTxsN-0002Hd-Cm@ries.debian.org>

Source: libwmf
Source-Version: 0.2.8.4-5

We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive:

libwmf-bin_0.2.8.4-5_i386.deb
  to pool/main/libw/libwmf/libwmf-bin_0.2.8.4-5_i386.deb
libwmf-dev_0.2.8.4-5_i386.deb
  to pool/main/libw/libwmf/libwmf-dev_0.2.8.4-5_i386.deb
libwmf-doc_0.2.8.4-5_all.deb
  to pool/main/libw/libwmf/libwmf-doc_0.2.8.4-5_all.deb
libwmf0.2-7_0.2.8.4-5_i386.deb
  to pool/main/libw/libwmf/libwmf0.2-7_0.2.8.4-5_i386.deb
libwmf_0.2.8.4-5.diff.gz
  to pool/main/libw/libwmf/libwmf_0.2.8.4-5.diff.gz
libwmf_0.2.8.4-5.dsc
  to pool/main/libw/libwmf/libwmf_0.2.8.4-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 382511@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loic Minier <lool@dooz.org> (supplier of updated libwmf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 21 Mar 2007 10:51:18 +0100
Source: libwmf
Binary: libwmf-dev libwmf-bin libwmf-doc libwmf0.2-7
Architecture: source all i386
Version: 0.2.8.4-5
Distribution: experimental
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Loic Minier <lool@dooz.org>
Description: 
 libwmf-bin - Windows metafile conversion tools
 libwmf-dev - Windows metafile conversion development
 libwmf-doc - Windows metafile documentation
 libwmf0.2-7 - Windows metafile conversion library
Closes: 382511
Changes: 
 libwmf (0.2.8.4-5) experimental; urgency=low
 .
   * Convert the package to the new Gtk modules handling; closes: #382511.
     - Bump up the libgtk2.0-dev build-dep to >= 2.10.1-1.
     - Call dh_gtkmodules with an appropriate LD_LIBRARY_PATH.
     - Drop debian/postinst and debian/postrm.
Files: 
 6d6c00f3314f611a5c41fc6bf935737b 777 libs optional libwmf_0.2.8.4-5.dsc
 b10d2690878607c8c93edc3fc91275bc 7634 libs optional libwmf_0.2.8.4-5.diff.gz
 75d9037e673358a080433c646936911f 174188 libs optional libwmf0.2-7_0.2.8.4-5_i386.deb
 bd25e2b3bbd979f62ef6d339b2452059 16890 graphics optional libwmf-bin_0.2.8.4-5_i386.deb
 fdddbfcdbd6fd4974059eacf4aba1171 193138 libdevel optional libwmf-dev_0.2.8.4-5_i386.deb
 13ed0bf94ce4a76e0b08d27d51eb6159 271704 doc optional libwmf-doc_0.2.8.4-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGAQFi4VUX8isJIMARAiIRAJwNJzqTyQCjt+DnXAo1Y5pl7EdpYACfZ54f
cwXczaGBbtr8uu0k0cZsDXQ=
=XrH9
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Re: File type misclassification
Next by Date: Processed: Undo mistaken closure
Previous by thread: Bug#415669: wmsysmon - FTBFS: cc1: error: unrecognized command line option "-m486"
Next by thread: Processed: Undo mistaken closure
Index(es):
- Date
- Thread