Re: mpfr stable update for CVE-2009-0757

To: debian-release@lists.debian.org
Subject: Re: mpfr stable update for CVE-2009-0757
From: Laurent Fousse <laurent@komite.net>
Date: Sat, 9 May 2009 15:22:51 +0200
Message-id: <20090509132251.GQ31407@laphroaig.lateralis.org>
In-reply-to: <20090426163039.GA6381@ngolde.de>
References: <20090426163039.GA6381@ngolde.de>

Hello,

* Nico Golde [Sun, Apr 26, 2009 at 06:30:39PM +0200]:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mpfr some time ago.
> 
> CVE-2009-0757[0]:
> | Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent
> | attackers to cause a denial of service (crash) via the (1)
> | mpfr_snprintf and (2) mpfr_vsnprintf functions.
> 
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.

Thank you for pointing out this problem. It seems however that the
buggy functions were not yet available in the lenny version
(2.3.1), and are already fixed in the testing/unstable version (2.4.1).

Laurent.

Reply to:

Follow-Ups:
- Re: mpfr stable update for CVE-2009-0757
  - From: Nico Golde <debian-release+ml@ngolde.de>

Prev by Date: Re: [pkg-boost-devel] Upload of Boost 1.38
Next by Date: Re: Please block sed 4.2-1
Previous by thread: Re: [SRM] Update of gnupg/gnupg2 to fix a memory leak
Next by thread: Re: mpfr stable update for CVE-2009-0757
Index(es):
- Date
- Thread