openmotif oldstable update for CVE-2004-0914, CVE-2005-0605, CVE-2005-3964

To: Debian QA Group <packages@qa.debian.org>
Subject: openmotif oldstable update for CVE-2004-0914, CVE-2005-0605, CVE-2005-3964
From: Nico Golde <nion@debian.org>
Date: Mon, 31 Dec 2007 16:21:42 +0100
Message-id: <[🔎] 20071231152142.GA1619@ngolde.de>
Reply-to: debian-release@lists.debian.org

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openmotif some time ago.

CVE-2004-0914[0]:
| Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in
| XFree86 and other packages, include (1) multiple integer overflows,
| (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell
| metacharacter, (5) endless loops, and (6) memory leaks, which could
| allow remote attackers to obtain sensitive information, cause a denial
| of service (application crash), or execute arbitrary code via a certain
| XPM image file. NOTE: it is highly likely that this candidate will be
| SPLIT into other candidates in the future, per CVE's content
| decisions.

CVE-2005-0605[1]:
| scan.c for LibXPM may allow attackers to execute arbitrary code via a
| negative bitmap_unit value that leads to a buffer overflow.

CVE-2005-3964[2]:
| Multiple buffer overflows in libUil (libUil.so) in OpenMotif 2.2.3,
| and possibly other versions, allows attackers to execute arbitrary
| code via the (1) diag_issue_diagnostic function in UilDiags.c and (2)
| open_source_file function in UilSrcSrc.c.

Unfortunately the vulnerabilities described above are not important enough
to get them fixed via regular security update in Debian oldstable. It does
not warrant a DSA.

However it would be nice if they could get fixed via a regular point update.
Please contact the release time for this.

This is an automatically generated mail, in case you are already working on an
upgrade this is of course pointless.

You can see the status of this vulnerabilities on:
http://security-tracker.debian.net/tracker/CVE-2004-0914
http://security-tracker.debian.net/tracker/CVE-2005-0605
http://security-tracker.debian.net/tracker/CVE-2005-3964

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0914
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0605
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3964

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpBis75eYIEe.pgp
Description: PGP signature

Reply to:

Prev by Date: www.selfbanking.com.ar
Next by Date: www.banking-financial.com
Previous by thread: www.selfbanking.com.ar
Next by thread: www.banking-financial.com
Index(es):
- Date
- Thread