[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#769164: marked as done (unblock: file/1:5.20-2)

Your message dated Tue, 11 Nov 2014 20:47:56 +0000
with message-id <20141111204756.GE21455@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#769164: unblock: file/1:5.20-2
has caused the Debian Bug report #769164,
regarding unblock: file/1:5.20-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
769164: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769164
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package file.

 * Fixes a security issue, urgency set to high
 * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
   Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
   Closes: #768806

unblock file/1:5.20-2


Thanks,
Thijs

diff -Nru file-5.20/debian/changelog file-5.20/debian/changelog
--- file-5.20/debian/changelog	2014-10-19 15:07:48.000000000 +0200
+++ file-5.20/debian/changelog	2014-11-09 17:53:20.000000000 +0100
@@ -1,3 +1,12 @@
+file (1:5.20-2) unstable; urgency=high
+
+  * Fixes a security issue, urgency set to high
+  * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
+    Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
+    Closes: #768806
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Sun, 09 Nov 2014 14:46:05 +0100
+
 file (1:5.20-1) unstable; urgency=low
 
   * New upstream version 5.20. Addresses:
diff -Nru file-5.20/debian/patches/CVE-2014-3710.patch file-5.20/debian/patches/CVE-2014-3710.patch
--- file-5.20/debian/patches/CVE-2014-3710.patch	1970-01-01 01:00:00.000000000 +0100
+++ file-5.20/debian/patches/CVE-2014-3710.patch	2014-11-09 15:20:57.000000000 +0100
@@ -0,0 +1,24 @@
+Subject: Fix note bounds reading, Francisco Alonso / Red Hat
+ID: CVE-2014-3710
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Oct 17 15:49:00 2014 +0000
+Origin:
+    commit 39c7ac1106be844a5296d3eb5971946cc09ffda0
+Last-Update: 2014-11-09
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -477,6 +477,13 @@
+ 	uint32_t namesz, descsz;
+ 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
+ 
++	if (xnh_sizeof + offset > size) {
++		/*
++		 * We're out of note headers.
++		 */
++		return xnh_sizeof + offset;
++	}
++
+ 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ 	offset += xnh_sizeof;
+ 
diff -Nru file-5.20/debian/patches/series file-5.20/debian/patches/series
--- file-5.20/debian/patches/series	2014-10-19 12:06:17.000000000 +0200
+++ file-5.20/debian/patches/series	2014-11-09 15:14:12.000000000 +0100
@@ -9,3 +9,4 @@
 0010-mdadm.patch
 0011-btrfs.patch
 0012-lxt.patch
+CVE-2014-3710.patch

--- End Message ---
--- Begin Message --- 
On Tue, Nov 11, 2014 at 09:28:29PM +0100, Thijs Kinkhorst wrote:
> Please unblock package file.
> 
>  * Fixes a security issue, urgency set to high
>  * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
>    Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
>    Closes: #768806

Unblocked, thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: