Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 03 Oct 2016 22:03:46 +0000
with message-id <E1brBKs-0007fF-D1@franck.debian.org>
and subject line Bug#838248: fixed in unadf 0.7.11a-3+deb8u1
has caused the Debian Bug report #838248,
regarding unadf: CVE-2016-1243 and CVE-2016-1244
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unadf: CVE-2016-1243 and CVE-2016-1244
• From: Luciano Bello <luciano@debian.org>
• Date: Sun, 18 Sep 2016 22:42:25 -0400
• Message-id: <2043861.ecgy7pR3Mx@box>

Source: unadf
Version: 0.7.11a-3
Severity: important
Tags: security patch

Hi,

Tuomas Räsänen discovered the following vulnerabilities for unadf.

CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname 
lengths of archived files.
CVE-2016-1244[1]: execution of unsanitized input

The patch is available here: 
  http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243
[1] https://security-tracker.debian.org/tracker/CVE-2016-1244
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244

--- End Message ---

--- Begin Message ---

• To: 838248-close@bugs.debian.org
• Subject: Bug#838248: fixed in unadf 0.7.11a-3+deb8u1
• From: Luciano Bello <luciano@debian.org>
• Date: Mon, 03 Oct 2016 22:03:46 +0000
• Message-id: <E1brBKs-0007fF-D1@franck.debian.org>

Source: unadf
Source-Version: 0.7.11a-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Sep 2016 23:11:18 -0400
Source: unadf
Binary: unadf
Architecture: source amd64
Version: 0.7.11a-3+deb8u1
Distribution: stable-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
 unadf      - Extract files from an Amiga Disk File dump (.adf)
Closes: 838248
Changes:
 unadf (0.7.11a-3+deb8u1) stable-security; urgency=high
 .
   * Orphaned package with security issues.
   * Tuomas Räsäne discoveried two security issues (Closes: #838248):
     - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
     pathname lengths of archived files.
     - CVE-2016-1244: execution of unsanitized input.
Checksums-Sha1:
 a9833a042a8124bfdbe6c305b79b63a419258c96 1723 unadf_0.7.11a-3+deb8u1.dsc
 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz
 d7a189f0824ddc05cbe13dde8ba7280bc0c2ae91 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz
 330193a8f503a1666a6294c0bec3c52b298c8f7e 111122 unadf_0.7.11a-3+deb8u1_amd64.deb
Checksums-Sha256:
 cdf0531de6b73dfe4ab7f4d9a0886ae4b2565d4f5f5a48fb1db3bf0953c1319b 1723 unadf_0.7.11a-3+deb8u1.dsc
 fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz
 6aa90a89df12f712098d62213eb35c2d4195bfbea389af4936d8a74f6f6b78bc 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz
 a30718e98459f6c3b2d292cdf67115dba3f77c26b6e5530c1b244daec20d018d 111122 unadf_0.7.11a-3+deb8u1_amd64.deb
Files:
 09671a48add8e2d1998572c1f28fd258 1723 utils optional unadf_0.7.11a-3+deb8u1.dsc
 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz
 01bc54dc8cce49609bf509dfd6182ded 19368 utils optional unadf_0.7.11a-3+deb8u1.debian.tar.xz
 388dd0e716d5bb36096a1217609b38dd 111122 utils optional unadf_0.7.11a-3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX5shEAAoJEG7C3vaP/jd0VVMQAI3I7PjzwtpBxz8iGaIYCkHq
1JwEQGcO8QsEdekVfb8aWVan2xOIBw0rfgA3HHa8l8EwA6EInAdNOBhF/TxwMo5P
5myXhOyMj5LBsgT+7V4BRaoH9wM4TEP/K6EW5hpd1RHiZWdUni2B0zijelz8pzcf
VtwiVIZCkdblWIjqnxeeU1rQNvUBXkVU1/EDOZlg/ePzySQSXFDFT5JVkbbPGAVW
EMIJC6j5GeN06bFi6fN7wZlK3kVTzmrgBNQZitMHuMC9Cjdah5RzPmh/vyU6Za+v
alzvkLDNdn6R4J2sgtf3Eg5ol6FNjGKZDIbd5PfI/q3KWj1R+wWA/01DRur3yP+Y
c+cQi+4SpXlXOYYSnOC2x9qJvAt47T5lXfaPXQ2q00wPckch3nUegxn0qCUExS+U
Bnx+6fngdqVdCQGmJjo4qEcDQEdhUFEYURis0E3VLQP8afk+slu8xaFeWAS2APMg
umYCLRhmqENh4UvbXDeyaluqG/P2/yAqpFb4/sGJZZIPsM1reaIltSMc0S6eSpSl
kTkQmk1eyP46ixbgCKF5rHvu9vL316Q6twBNRlG4SYj14O/HJM0filbNJN9MJvfN
3AeKqG6JQ6ytQcpP1z0GUP+ZRvA6TZIXUmXrjG8FKmZzie8xtt0FHPEuGLEcwPN6
Q9jQBp5ThZ5Bb4bOsWbp
=Mc7h
-----END PGP SIGNATURE-----

--- End Message ---