Re: proposed update for CVE-2010-2494 in lenny

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: proposed update for CVE-2010-2494 in lenny
From: Serafeim Zanikolas <sez@debian.org>
Date: Sun, 3 Oct 2010 19:00:14 +0200
Message-id: <[🔎] 20101003170014.GA11439@mobee>
In-reply-to: <[🔎] 1286105111.6044.46.camel@hathi.jungle.funky-badger.org>
References: <[🔎] 20101001215307.GB2810@mobee> <[🔎] 1286105111.6044.46.camel@hathi.jungle.funky-badger.org>

On Sun, Oct 03, 2010 at 12:25:11PM +0100, Adam D. Barratt wrote:
> On Fri, 2010-10-01 at 23:53 +0200, Serafeim Zanikolas wrote:
> 
> +bogofilter (1.1.7-1+lenny1) stable; urgency=high
> +
> +  * Apply patch from Julius Plenz <plenz@cis.fu-berlin.de> to prevent possible
> +    heap corruption due to a bug in the base64_decode function (CVE-2010-2494,
> +    aka bogofilter-SA-2010-01). Setting urgency=high, but uploading to stable
> +    because the issue does not warrant a DSA. closes: #588090.
> 
> This looks fine, thanks.
> 
> +  * Build-Depend on quilt
> 
> This, otoh, is not.  For a stable update, adding, removing or changing
> patch systems is not appropriate.  Please apply the changes directly to
> the source and send us an updated debdiff for final approval.

Sorry about that. interdiff output attached.

Cheers,
Serafeim

diff -u bogofilter-1.1.7/debian/control bogofilter-1.1.7/debian/control
--- bogofilter-1.1.7/debian/control
+++ bogofilter-1.1.7/debian/control
@@ -1,7 +1,7 @@
 Source: bogofilter
 Section: mail
 Priority: optional
-Maintainer: Clint Adams <schizo@debian.org>
+Maintainer: Serafeim Zanikolas <sez@debian.org>
 Build-Depends: libdb-dev (>= 4.6.19-1), libgsl0-dev, libsqlite3-dev, libqdbm-dev, libtokyocabinet-dev
 Standards-Version: 3.7.3
 
diff -u bogofilter-1.1.7/debian/changelog bogofilter-1.1.7/debian/changelog
--- bogofilter-1.1.7/debian/changelog
+++ bogofilter-1.1.7/debian/changelog
@@ -1,3 +1,13 @@
+bogofilter (1.1.7-1+lenny1) stable; urgency=high
+
+  * Apply patch from Julius Plenz <plenz@cis.fu-berlin.de> to prevent possible
+    heap corruption due to a bug in the base64_decode function (CVE-2010-2494,
+    aka bogofilter-SA-2010-01). Setting urgency=high, but uploading to stable
+    because the issue does not warrant a DSA. closes: #588090.
+  * Update maintainer field in debian/control.
+
+ -- Serafeim Zanikolas <sez@debian.org>  Mon, 20 Sep 2010 08:35:46 +0000
+
 bogofilter (1.1.7-1) unstable; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- bogofilter-1.1.7.orig/src/base64.c
+++ bogofilter-1.1.7/src/base64.c
@@ -61,8 +61,10 @@
 	    d[i] = c;
 	    v = v >> 8;
 	}
-	d += 3 - shorten;
-	count += 3 - shorten;
+    if(shorten != 4) {
+        d += 3 - shorten;
+        count += 3 - shorten;
+    }
     }
     /* XXX do we need this NUL byte? */
     if (word->leng)

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: proposed update for CVE-2010-2494 in lenny
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- proposed update for CVE-2010-2494 in lenny
  - From: Serafeim Zanikolas <sez@debian.org>
- Re: proposed update for CVE-2010-2494 in lenny
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#598985: release.debian.org: unblock: fusionforge/5.0.2-2
Next by Date: Bug#598255: Freeze exception for clamav 0.96.3+dfsg-2
Previous by thread: Re: proposed update for CVE-2010-2494 in lenny
Next by thread: Re: proposed update for CVE-2010-2494 in lenny
Index(es):
- Date
- Thread