obexftp-0.10.7-3 debian package security release (was: obexftp client overflows ?)

To: Martin Schulze <joey@infodrom.org>, Michael Banck <mbanck@debian.org>
Cc: debian-release@lists.debian.org
Subject: obexftp-0.10.7-3 debian package security release (was: obexftp client overflows ?)
From: Hendrik Sattler <post@hendrik-sattler.de>
Date: Mon, 4 Apr 2005 17:31:05 +0200
Message-id: <[🔎] 200504041731.19757.post@hendrik-sattler.de>
In-reply-to: <20050404133815.GV7744@finlandia.infodrom.north.de>
References: <42405812.2060303@digitalmunition.com> <200504041255.53427.post@hendrik-sattler.de> <20050404133815.GV7744@finlandia.infodrom.north.de>

Am Montag, 4. April 2005 15:38 schrieben Sie:
> Hendrik Sattler wrote:
> > > > >FWIW: This is not present in the version in Debian stable/woody
> > > > > which uses version 0.9.2.  Thanks for spotting this problem anyway.
> > >
> > > I have to make one more comment, since there are rumours about a freeze
> > > of Debian.  If there is a freeze, and testing-security is working and
> > > obexftp is still vulnerable, I'll have to release an advisory.  *sigh*
> > >
> > > However, most probably the maintainer is faster than the other
> > > conditions.
[...]
> This makes me think that the above is an off-by-one overflow, hence, I
> suggest to exchange the first 256 with 256+1 or the last two with 255.

done

> > However, upstream, the bug submitter and me agree, that the bug is only
> > exploitable in rather strange usages of obexftp (you'd have to hack the
> > firmware of remote bluetooth or irda device and it must actively be
> > accessed).
>
> I see, rather unlikely, and you'd also need to have physical access
> which would also mean a lot of other means to exploit the machine
> (except for bankomats or something...)
>
> > Oh yes, the purpose of this mail:
> > urgency=medium or urgency=high?
> > Or questioned differently: what's needed to make sure it gets to Sarge?
>
> Medium should be ok.  Make an upload and I'll talk to #debian-release
> (or you drop them a mail or note).

I do it with a CC: in this mail
You can find the updated Debian packages at
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/
more specific:
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.diff.gz
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3.dsc
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.changes
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7-3_i386.deb
  http://www.stud.uni-karlsruhe.de/~ubq7/debian/obexftp_0.10.7.orig.tar.gz

Either one of you can probably upload it to incoming (AFAIK, katie would 
reject it if done by myself).

Thanks

Hendrik

-- 
Mein GPG-Key ist auf meiner Homepage verfügbar: http://www.hendrik-sattler.de
        oder über pgp.net

PingoS - Linux-User helfen Schulen: http://www.pingos.org

Attachment: pgpc_Ub9H6VFH.pgp
Description: PGP signature

Reply to:

Prev by Date: bswap,xadd and cmpxchg emulation on 386
Next by Date: Re: Approximating sarge's final package list
Previous by thread: Re: bswap,xadd and cmpxchg emulation on 386
Next by thread: kdepim in NEW
Index(es):
- Date
- Thread