Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 24 Sep 2016 20:14:15 +0000
with message-id <E1bntKx-0003fP-LR@franck.debian.org>
and subject line Bug#838248: fixed in unadf 0.7.11a-4
has caused the Debian Bug report #838248,
regarding unadf: CVE-2016-1243 and CVE-2016-1244
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unadf: CVE-2016-1243 and CVE-2016-1244
• From: Luciano Bello <luciano@debian.org>
• Date: Sun, 18 Sep 2016 22:42:25 -0400
• Message-id: <[🔎] 2043861.ecgy7pR3Mx@box>

Source: unadf
Version: 0.7.11a-3
Severity: important
Tags: security patch

Hi,

Tuomas Räsänen discovered the following vulnerabilities for unadf.

CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname 
lengths of archived files.
CVE-2016-1244[1]: execution of unsanitized input

The patch is available here: 
  http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243
[1] https://security-tracker.debian.org/tracker/CVE-2016-1244
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244

--- End Message ---

--- Begin Message ---

• To: 838248-close@bugs.debian.org
• Subject: Bug#838248: fixed in unadf 0.7.11a-4
• From: Luciano Bello <luciano@debian.org>
• Date: Sat, 24 Sep 2016 20:14:15 +0000
• Message-id: <E1bntKx-0003fP-LR@franck.debian.org>

Source: unadf
Source-Version: 0.7.11a-4

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 24 Sep 2016 11:43:06 -0400
Source: unadf
Binary: unadf
Architecture: source amd64
Version: 0.7.11a-4
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
 unadf      - Extract files from an Amiga Disk File dump (.adf)
Closes: 838248
Changes:
 unadf (0.7.11a-4) unstable; urgency=high
 .
   * Orphan package with security issues.
   * Tuomas Räsänene discoveried two security issues (Closes: #838248):
     - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
     pathname lengths of archived files.
     - CVE-2016-1244: execution of unsanitized input.
   * Standards-Version: 3.9.8
Checksums-Sha1:
 1ca4a450211d82969428bb13925a7aac4ffb5be4 1695 unadf_0.7.11a-4.dsc
 15a18d20546e0bbde7a9578987897da87ecaa9b8 17924 unadf_0.7.11a-4.debian.tar.xz
 67608a6e5488bee556cdf127bda5dbce8d0dd41b 71318 unadf-dbgsym_0.7.11a-4_amd64.deb
 5505b8917f7cd2c19d040bbcb76e1fefd369f8af 111052 unadf_0.7.11a-4_amd64.deb
Checksums-Sha256:
 925bce8be8fd58e30b24f1bdbe6b295e70fa7a1516d77f87ddadd6fe5f99f047 1695 unadf_0.7.11a-4.dsc
 ff8873027d330cf3f87876149bd00fe737e0e9885debdda44ce6e3d27257eca3 17924 unadf_0.7.11a-4.debian.tar.xz
 cbc5cca895055beddc23413363cbb4be10ff040f728f611cb377875057f92115 71318 unadf-dbgsym_0.7.11a-4_amd64.deb
 a28f29a4854fea1738f3f2faf1587fd4a966afdbbc04a26f9050bb40cafd85df 111052 unadf_0.7.11a-4_amd64.deb
Files:
 1ec6937000c5283fdbc33be85e4f6084 1695 utils optional unadf_0.7.11a-4.dsc
 042fd96d51e94e880e88f3adfbb01c03 17924 utils optional unadf_0.7.11a-4.debian.tar.xz
 235bb4a1c9bba4bcc7f4343567c29d6a 71318 debug extra unadf-dbgsym_0.7.11a-4_amd64.deb
 451348e43e3777bd8a3ab5bd19d534ec 111052 utils optional unadf_0.7.11a-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX5sW1AAoJEG7C3vaP/jd0iqIP/1eRKv65uXJrbhjag032SZA7
3ZYps+eco77DaqeJgkTKalE+c1F8JA4kSU0x05JpPz9uthrDyJqb2tAMlAdnoQBW
B+G/mTB0xtKP3uRR4aNm0L22WrA9t3oMGVcsIcAGW/ZbER+8dE6HZIw/vcrG5qQl
zxotWfSHl+8+HI5gFO367Z6547Xe1qtXaBVbAFGt/0fRGaq5Y93tiNHk7KoEWoGm
oUKg4vTWAr/vdHKOwUeRcFi8jY9O/PShfK4Kb5MJMyO28yczBq2vOHQTM83bGWOk
yN0EtRveIVv4d15c/8P2nzfzJ006srACIPL+d5pcmF+kaA3jTDt+vwdjZLg5kOFs
3DbCxKbWu1mxebg1nXjHj1sHCMkJophAujlj4pjT2TuMi/e0gpjemAAit67EBrwL
EXxESn5z8+q+AxH1d64VeIvasxl8NZ+ReLjHuIWf8UgyGaMeoDoJ5fc19rqk7O8g
5gYxdJM29cYjx+CMIzUHDltZWMaM/j5Q51C7ZeIZmz1P3YhvBk9PS8W/kKz/I6iZ
g8MFZZbyaP5wn9cfRFwsP0pqJFtXWAMpPjGaame7/g7h13aBLvbDol1QVte4BxwB
sQu/7ppFEc+mqUrwfskc7lBaFqCLtkj3m2bsJykZzPlnqhrZt7/HOTk7sEM5NGd5
Ev9b075TNawbfPMdWrKL
=y27H
-----END PGP SIGNATURE-----

--- End Message ---