Your message dated Tue, 17 Mar 2009 10:44:09 +0100
with message-id <[email protected]>
and subject line Re: Bug#520046: glib2.0: CVE-2008-4316 large string
vulnerability
has caused the Debian Bug report #520046,
regarding glib2.0: CVE-2008-4316 large string vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520046
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: glib2.0
severity: grave
tags: security
it has been found that libsoup is vulnerable to an integer overflow
attack, see CVE-2008-4316 [1]. details are:
Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
context-dependent attackers to execute arbitrary code via a long
string that is converted either (1) from or (2) to a base64
representation.
since this potentially allows remote attackers to execute arbitrary
code, it should be treated with high urgency.
this was just fixed in ubuntu, so it may be possible to adopt their
patch [2].
note that bug #520039 in libsoup is related (an exact code copy).
if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog. please contact the security team to coordinate
a fix for stable and/or if you have any questions.
regards,
mike
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
[2] http://www.ubuntu.com/usn/USN-738-1
--- End Message ---
--- Begin Message ---
Version: 2.20.0-1
Am Montag, den 16.03.2009, 21:02 -0400 schrieb Michael Gilbert:
> package: glib2.0
> severity: grave
> tags: security
>
> it has been found that libsoup is vulnerable to an integer overflow
> attack, see CVE-2008-4316 [1]. details are:
>
> Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
> context-dependent attackers to execute arbitrary code via a long
> string that is converted either (1) from or (2) to a base64
> representation.
So this is already fixed in unstable with glib 2.20.0, actually this was
the reason why I updated it ASAP. Now only an update for stable is
necessary, right?
The upstream fix is
http://svn.gnome.org/viewvc/glib?view=revision&revision=7973 btw...
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--- End Message ---
