[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

obexftp-0.10.7-3 debian package security release (was: obexftp client overflows ?)



Am Montag, 4. April 2005 15:38 schrieben Sie:
> Hendrik Sattler wrote:
> > > > >FWIW: This is not present in the version in Debian stable/woody
> > > > > which uses version 0.9.2.  Thanks for spotting this problem anyway.
> > >
> > > I have to make one more comment, since there are rumours about a freeze
> > > of Debian.  If there is a freeze, and testing-security is working and
> > > obexftp is still vulnerable, I'll have to release an advisory.  *sigh*
> > >
> > > However, most probably the maintainer is faster than the other
> > > conditions.
[...]
> This makes me think that the above is an off-by-one overflow, hence, I
> suggest to exchange the first 256 with 256+1 or the last two with 255.

done

> > However, upstream, the bug submitter and me agree, that the bug is only
> > exploitable in rather strange usages of obexftp (you'd have to hack the
> > firmware of remote bluetooth or irda device and it must actively be
> > accessed).
>
> I see, rather unlikely, and you'd also need to have physical access
> which would also mean a lot of other means to exploit the machine
> (except for bankomats or something...)
>
> > Oh yes, the purpose of this mail:
> > urgency=medium or urgency=high?
> > Or questioned differently: what's needed to make sure it gets to Sarge?
>
> Medium should be ok.  Make an upload and I'll talk to #debian-release
> (or you drop them a mail or note).

I do it with a CC: in this mail
You can find the updated Debian packages at
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/
more specific:
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.diff.gz
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.dsc
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.changes
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.deb
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7.orig.tar.gz

Either one of you can probably upload it to incoming (AFAIK, katie would 
reject it if done by myself).

Thanks

Hendrik

-- 
Mein GPG-Key ist auf meiner Homepage verfügbar: http://www.hendrik-sattler.de
        oder über pgp.net

PingoS - Linux-User helfen Schulen: http://www.pingos.org

Attachment: pgpHawjgDX5Kx.pgp
Description: PGP signature


Reply to: