Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 29 Nov 2023 22:47:14 +0000
with message-id <E1r8TKs-0044O0-B4@fasolo.debian.org>
and subject line Bug#838248: fixed in unadf 0.7.11a-5+deb12u1
has caused the Debian Bug report #838248,
regarding unadf: CVE-2016-1243 and CVE-2016-1244
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unadf: CVE-2016-1243 and CVE-2016-1244
• From: Luciano Bello <luciano@debian.org>
• Date: Sun, 18 Sep 2016 22:42:25 -0400
• Message-id: <2043861.ecgy7pR3Mx@box>

Source: unadf
Version: 0.7.11a-3
Severity: important
Tags: security patch

Hi,

Tuomas Räsänen discovered the following vulnerabilities for unadf.

CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname 
lengths of archived files.
CVE-2016-1244[1]: execution of unsanitized input

The patch is available here: 
  http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243
[1] https://security-tracker.debian.org/tracker/CVE-2016-1244
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244

--- End Message ---

--- Begin Message ---

• To: 838248-close@bugs.debian.org
• Subject: Bug#838248: fixed in unadf 0.7.11a-5+deb12u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 29 Nov 2023 22:47:14 +0000
• Message-id: <E1r8TKs-0044O0-B4@fasolo.debian.org>
• Reply-to: Moritz Mühlenhoff <jmm@debian.org>

Source: unadf
Source-Version: 0.7.11a-5+deb12u1
Done: Moritz Mühlenhoff <jmm@debian.org>

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Nov 2023 18:20:14 +0100
Source: unadf
Architecture: source
Version: 0.7.11a-5+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Closes: 838248
Changes:
 unadf (0.7.11a-5+deb12u1) bookworm; urgency=medium
 .
   * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248)
Checksums-Sha1:
 5aeec93dcc2508fda3a7431a3f28a3def5688a58 1748 unadf_0.7.11a-5+deb12u1.dsc
 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz
 39cb250466156f0fb3687cd008ca6e8c75bb8563 19960 unadf_0.7.11a-5+deb12u1.debian.tar.xz
 22fe4f34f76027f2997b5712033d6abf225618b9 6170 unadf_0.7.11a-5+deb12u1_amd64.buildinfo
Checksums-Sha256:
 94e154723fc1285468e0e8c09cca748fbe5df60fb85547f3075c283950d1a0fb 1748 unadf_0.7.11a-5+deb12u1.dsc
 fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz
 02113caacff8db80e95ee0cc2a59f31bca93ea6c5bc35cd2a7611d868a7bfd59 19960 unadf_0.7.11a-5+deb12u1.debian.tar.xz
 52d9a09ef86a90a06d76725bd37438b7d290fb9ae4e6e06ea4dbf3977dff2ebf 6170 unadf_0.7.11a-5+deb12u1_amd64.buildinfo
Files:
 402f43967ea1071bbbcb20f0f103ddc5 1748 utils optional unadf_0.7.11a-5+deb12u1.dsc
 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz
 7b0420b8b50fa829a527b904d011c9fb 19960 utils optional unadf_0.7.11a-5+deb12u1.debian.tar.xz
 2e43964eda98da4a9f75a1bcf5924ad0 6170 utils optional unadf_0.7.11a-5+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVg6ZMACgkQEMKTtsN8
TjZgmA//Yao1k3zkpjxdFLyJo43prXI4F85i1gKrIZ95yr+KSjKpMkpX2R9f7pJZ
yYSpXDBTBzX1IF8GrbtbcAqQzYS1VajH+uD7w4QOw3xzyv+2xSbsyA8dLkOEErBG
WmOL9v7htvVklD3A8/z0pOgaJrMKX7Jaftiur1w5GuIgiaJB+wMGdgC1S08aHUGR
A71C6VeYYB6ypO/aLxY1it/1CVrrb4Mt4N8V5mJKXMYpm6YHXFk6b9WazI387T+T
rydS9fwxytq1qK1jt8SQqmn3MjQjG/AM0j/+WTv/x8MR5/ieI/G1cNJWVpkXLJU9
ue0N2jzhUg7HZE8G1xIJKC3PkYM8PhBHetkRQEcjiLRhYgGr50NU58b2mglhpf5P
WL2MGpVXkRZzIW6aKLV8FnggDxu1JfN9Q2LxQuh3i9Wc3YpKCRoT2yVlalzyr396
ek2WXkuMyY95pMXa27Ixl/+giHXpXAgoKmVVoxjEu/cDulh8lDTDK3YDgMYVce49
h0b0UzfY6A7uchWyg8XR4wL/FD/VZpZtsT/ns0eMKcfCpWDdMb1hIQMncp9uionz
p+0HX0jRs0sTzUWbIXw0BUzTcL1HCtqjxvNn4chk8eWuSrWYfQLAptjj+WOKdAdR
Z/pV1rnJmda55iwPI7veQLKno+YYMIkAo6g1uRtnf0u8kdkZDyU=
=4cr6
-----END PGP SIGNATURE-----

--- End Message ---