Re: [SECURITY] [DSA 1620-1] New python2.5 packages fix several vulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1620-1] New python2.5 packages fix several vulnerabilities
From: Kees Cook <kees@ubuntu.com>
Date: Tue, 29 Jul 2008 16:11:46 -0700
Message-id: <20080729231146.GR13484@outflux.net>
In-reply-to: <20080727131322.GA4221@galadriel.inutil.org>
References: <20080727131322.GA4221@galadriel.inutil.org>

On Sun, Jul 27, 2008 at 03:13:22PM +0200, Moritz Muehlenhoff wrote:
> CVE-2007-4965
> 
>     It was discovered that several integer overflows in the imageop
>     module may lead to the execution of arbitrary code, if a user is
>     tricked into processing malformed images. This issue is also
>     tracked as CVE-2008-1679 due to an initially incomplete patch.
> 
> For the stable distribution (etch), these problems have been fixed in
> version 2.5-5+etch1.
> 
> For the unstable distribution (sid), these problems have been fixed in
> version 2.5.2-3.

I wanted to check on this pair of CVEs.  In 2.5.2-3, there is a distinct
patch for CVE-2008-1679. 2.5-5+etch1 and 2.5.2-3 have identical patches
for CVE-2007-4965.  This would seem to imply that 2.5-5+etch1 has the
same "incomplete" patch for CVE-2007-4965, and still needs the fixes
for CVE-2008-1679.  Am I misunderstanding something?

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team

Reply to:

Prev by Date: Re: Bug#492806: libavformat52: does not handle STR file demuxing (CVE-2008-3162)
Next by Date: Tinydns - cache poisoning?
Previous by thread: Re: Bug#492806: libavformat52: does not handle STR file demuxing (CVE-2008-3162)
Next by thread: Tinydns - cache poisoning?
Index(es):
- Date
- Thread