Your message dated Wed, 21 Mar 2007 10:17:03 +0000 with message-id <E1HTxsN-0002Hd-Cm@ries.debian.org> and subject line Bug#382511: fixed in libwmf 0.2.8.4-5 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian BTS Submit <submit@bugs.debian.org>
- Subject: libwmf0.2-7: Multiple vulnerabilities in embedded libgd2 copy
- From: Martin Pitt <martin.pitt@ubuntu.com>
- Date: Fri, 11 Aug 2006 17:03:30 +0200
- Message-id: <20060811150330.GJ5244@piware.de>
Package: libwmf Version: 0.2.8.4-2 Severity: important Tags: security patch Hi! libwmf contains an ancient (2001!) copy of libgd2, which is vulnerable against CVE-2004-0941, CVE-2004-0990 (integer overflows which can be exploited for arbitrary code execution with crafted PNGs) and CVE-2006-2906 (DoS with crafted GIFs). I did not verify whether these can be exploited through libwmf, therefore I did not set this to 'grave'. However, this should be fixed just to be on the safe side. Original libgd2 patches: http://people.ubuntu.com/patches/libgd2.CVE-2004-0941_0990.diff http://people.ubuntu.com/patches/libgd2.CVE-2006-2906.diff The best solution would be to build against the system libgd2 and ignore the code copy completely. This avoids code copies (which are *VERY* *VERY* hard to find), and thus such vulnerabilities, at all. Thank you for considering, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 382511-close@bugs.debian.org
- Subject: Bug#382511: fixed in libwmf 0.2.8.4-5
- From: Loic Minier <lool@dooz.org>
- Date: Wed, 21 Mar 2007 10:17:03 +0000
- Message-id: <E1HTxsN-0002Hd-Cm@ries.debian.org>
Source: libwmf Source-Version: 0.2.8.4-5 We believe that the bug you reported is fixed in the latest version of libwmf, which is due to be installed in the Debian FTP archive: libwmf-bin_0.2.8.4-5_i386.deb to pool/main/libw/libwmf/libwmf-bin_0.2.8.4-5_i386.deb libwmf-dev_0.2.8.4-5_i386.deb to pool/main/libw/libwmf/libwmf-dev_0.2.8.4-5_i386.deb libwmf-doc_0.2.8.4-5_all.deb to pool/main/libw/libwmf/libwmf-doc_0.2.8.4-5_all.deb libwmf0.2-7_0.2.8.4-5_i386.deb to pool/main/libw/libwmf/libwmf0.2-7_0.2.8.4-5_i386.deb libwmf_0.2.8.4-5.diff.gz to pool/main/libw/libwmf/libwmf_0.2.8.4-5.diff.gz libwmf_0.2.8.4-5.dsc to pool/main/libw/libwmf/libwmf_0.2.8.4-5.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 382511@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Loic Minier <lool@dooz.org> (supplier of updated libwmf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 21 Mar 2007 10:51:18 +0100 Source: libwmf Binary: libwmf-dev libwmf-bin libwmf-doc libwmf0.2-7 Architecture: source all i386 Version: 0.2.8.4-5 Distribution: experimental Urgency: low Maintainer: Loic Minier <lool@dooz.org> Changed-By: Loic Minier <lool@dooz.org> Description: libwmf-bin - Windows metafile conversion tools libwmf-dev - Windows metafile conversion development libwmf-doc - Windows metafile documentation libwmf0.2-7 - Windows metafile conversion library Closes: 382511 Changes: libwmf (0.2.8.4-5) experimental; urgency=low . * Convert the package to the new Gtk modules handling; closes: #382511. - Bump up the libgtk2.0-dev build-dep to >= 2.10.1-1. - Call dh_gtkmodules with an appropriate LD_LIBRARY_PATH. - Drop debian/postinst and debian/postrm. Files: 6d6c00f3314f611a5c41fc6bf935737b 777 libs optional libwmf_0.2.8.4-5.dsc b10d2690878607c8c93edc3fc91275bc 7634 libs optional libwmf_0.2.8.4-5.diff.gz 75d9037e673358a080433c646936911f 174188 libs optional libwmf0.2-7_0.2.8.4-5_i386.deb bd25e2b3bbd979f62ef6d339b2452059 16890 graphics optional libwmf-bin_0.2.8.4-5_i386.deb fdddbfcdbd6fd4974059eacf4aba1171 193138 libdevel optional libwmf-dev_0.2.8.4-5_i386.deb 13ed0bf94ce4a76e0b08d27d51eb6159 271704 doc optional libwmf-doc_0.2.8.4-5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGAQFi4VUX8isJIMARAiIRAJwNJzqTyQCjt+DnXAo1Y5pl7EdpYACfZ54f cwXczaGBbtr8uu0k0cZsDXQ= =XrH9 -----END PGP SIGNATURE-----
--- End Message ---