Am Montag, 4. April 2005 15:38 schrieben Sie: > Hendrik Sattler wrote: > > > > >FWIW: This is not present in the version in Debian stable/woody > > > > > which uses version 0.9.2. Thanks for spotting this problem anyway. > > > > > > I have to make one more comment, since there are rumours about a freeze > > > of Debian. If there is a freeze, and testing-security is working and > > > obexftp is still vulnerable, I'll have to release an advisory. *sigh* > > > > > > However, most probably the maintainer is faster than the other > > > conditions. [...] > This makes me think that the above is an off-by-one overflow, hence, I > suggest to exchange the first 256 with 256+1 or the last two with 255. done > > However, upstream, the bug submitter and me agree, that the bug is only > > exploitable in rather strange usages of obexftp (you'd have to hack the > > firmware of remote bluetooth or irda device and it must actively be > > accessed). > > I see, rather unlikely, and you'd also need to have physical access > which would also mean a lot of other means to exploit the machine > (except for bankomats or something...) > > > Oh yes, the purpose of this mail: > > urgency=medium or urgency=high? > > Or questioned differently: what's needed to make sure it gets to Sarge? > > Medium should be ok. Make an upload and I'll talk to #debian-release > (or you drop them a mail or note). I do it with a CC: in this mail You can find the updated Debian packages at http://www.stud.uni-karlsruhe.de/~ubq7/debian/ more specific: http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.diff.gz http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.dsc http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.changes http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.deb http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7.orig.tar.gz Either one of you can probably upload it to incoming (AFAIK, katie would reject it if done by myself). Thanks Hendrik -- Mein GPG-Key ist auf meiner Homepage verfügbar: http://www.hendrik-sattler.de oder über pgp.net PingoS - Linux-User helfen Schulen: http://www.pingos.org
Attachment:
pgpc_Ub9H6VFH.pgp
Description: PGP signature