Your message dated Tue, 18 May 2010 23:33:08 +0900 with message-id <20100518143308.GY28492@gamma.logic.tuwien.ac.at> and subject line Re: Bug#582116: texlive-bin: CVE-2010-0829 multiple array index errors has caused the Debian Bug report #582116, regarding texlive-bin: CVE-2010-0829 multiple array index errors to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 582116: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582116 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: texlive-bin: CVE-2010-0829 multiple array index errors
- From: Sebastien Delafond <seb@debian.org>
- Date: Tue, 18 May 2010 15:49:36 +0200
- Message-id: <[🔎] 20100518134936.GM5326@frisco.mine.nu>
Source: texlive-bin Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for texlive-bin: CVE-2010-0829[0]: | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and | teTeX, allow remote attackers to cause a denial of service | (application crash) or possibly execute arbitrary code via a malformed | DVI file. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829 http://security-tracker.debian.net/tracker/CVE-2010-0829 Cheers, --Seb
--- End Message ---
--- Begin Message ---
- To: Sebastien Delafond <seb@debian.org>, 582116-done@bugs.debian.org
- Subject: Re: Bug#582116: texlive-bin: CVE-2010-0829 multiple array index errors
- From: Norbert Preining <preining@logic.at>
- Date: Tue, 18 May 2010 23:33:08 +0900
- Message-id: <20100518143308.GY28492@gamma.logic.tuwien.ac.at>
- In-reply-to: <[🔎] 20100518134936.GM5326@frisco.mine.nu>
- References: <[🔎] 20100518134936.GM5326@frisco.mine.nu>
On Di, 18 Mai 2010, Sebastien Delafond wrote: > CVE-2010-0829[0]: > | Multiple array index errors in set.c in dvipng 1.11 and 1.12, and > | teTeX, allow remote attackers to cause a denial of service > | (application crash) or possibly execute arbitrary code via a malformed > | DVI file. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. And could you *PLEASE* verify *before* submitting a grave bug that this actually applies to the pacakge????????????????????????????? Ever tried a simple incantation like dlocate dvipng ???? texlive (upstream) does ship dvipng, but in Debian we do NOT ship dvipng, this has its separate package. So as long as you have more convincing arguments but the "... and teTeX ..." I am closing this bug. Thanks for putting rubbish check work onto me. > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0829 Nothing there mentions TeX Live Furthermore, the page http://security-tracker.debian.org/tracker/CVE-2010-0829 is also rubbish: It mentions: texlive-bin (PTS) etch 2005.dfsg.2-12 vulnerable etch-backports 2007.dfsg.2-3~bpo40+1 vulnerable lenny 2007.dfsg.2-4+lenny2 vulnerable squeeze, sid 2009-6 vulnerable But nobody explains what there is vulnerable.... arggggg..... Have a nice day Norbert ------------------------------------------------------------------------ Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org} JAIST, Japan TeX Live & Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 ------------------------------------------------------------------------ TIMBLE (vb.) (Of small nasty children.) To fail over very gently, look around to see who's about, and then yell blue murder. --- Douglas Adams, The Meaning of Liff
--- End Message ---