Your message dated Sun, 13 Dec 2009 22:53:09 +0000
with message-id <[email protected]>
and subject line Bug#560917: fixed in wxwidgets2.8 2.8.10.1-2
has caused the Debian Bug report #560917,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560917: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560917
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: wxwidget2.8
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: wxwidgets2.8
Source-Version: 2.8.10.1-2
We believe that the bug you reported is fixed in the latest version of
wxwidgets2.8, which is due to be installed in the Debian FTP archive:
libwxbase2.8-0_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxbase2.8-0_2.8.10.1-2_i386.deb
libwxbase2.8-dbg_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxbase2.8-dbg_2.8.10.1-2_i386.deb
libwxbase2.8-dev_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxbase2.8-dev_2.8.10.1-2_i386.deb
libwxgtk2.8-0_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxgtk2.8-0_2.8.10.1-2_i386.deb
libwxgtk2.8-dbg_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxgtk2.8-dbg_2.8.10.1-2_i386.deb
libwxgtk2.8-dev_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/libwxgtk2.8-dev_2.8.10.1-2_i386.deb
python-wxgtk2.8-dbg_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/python-wxgtk2.8-dbg_2.8.10.1-2_i386.deb
python-wxgtk2.8_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/python-wxgtk2.8_2.8.10.1-2_i386.deb
python-wxtools_2.8.10.1-2_all.deb
to main/w/wxwidgets2.8/python-wxtools_2.8.10.1-2_all.deb
python-wxversion_2.8.10.1-2_all.deb
to main/w/wxwidgets2.8/python-wxversion_2.8.10.1-2_all.deb
wx-common_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/wx-common_2.8.10.1-2_i386.deb
wx2.8-doc_2.8.10.1-2_all.deb
to main/w/wxwidgets2.8/wx2.8-doc_2.8.10.1-2_all.deb
wx2.8-examples_2.8.10.1-2_all.deb
to main/w/wxwidgets2.8/wx2.8-examples_2.8.10.1-2_all.deb
wx2.8-headers_2.8.10.1-2_i386.deb
to main/w/wxwidgets2.8/wx2.8-headers_2.8.10.1-2_i386.deb
wx2.8-i18n_2.8.10.1-2_all.deb
to main/w/wxwidgets2.8/wx2.8-i18n_2.8.10.1-2_all.deb
wxwidgets2.8_2.8.10.1-2.diff.gz
to main/w/wxwidgets2.8/wxwidgets2.8_2.8.10.1-2.diff.gz
wxwidgets2.8_2.8.10.1-2.dsc
to main/w/wxwidgets2.8/wxwidgets2.8_2.8.10.1-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Niebur <[email protected]> (supplier of updated wxwidgets2.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Dec 2009 23:39:04 -0800
Source: wxwidgets2.8
Binary: libwxbase2.8-0 libwxbase2.8-dev libwxbase2.8-dbg libwxgtk2.8-0
libwxgtk2.8-dev libwxgtk2.8-dbg python-wxgtk2.8 python-wxgtk2.8-dbg
python-wxversion python-wxtools wx-common wx2.8-headers wx2.8-i18n wx2.8-doc
wx2.8-examples libwxmsw2.8-dev libwxmsw2.8-dbg wx2.8-headers-msw
Architecture: source i386 all
Version: 2.8.10.1-2
Distribution: unstable
Urgency: low
Maintainer: wxWidgets Maintainers <[email protected]>
Changed-By: Ryan Niebur <[email protected]>
Description:
libwxbase2.8-0 - wxBase library (runtime) - non-GUI support classes of
wxWidgets t
libwxbase2.8-dbg - wxBase library (debug) - non-GUI support classes of
wxWidgets too
libwxbase2.8-dev - wxBase library (development) - non-GUI support classes of
wxWidge
libwxgtk2.8-0 - wxWidgets Cross-platform C++ GUI toolkit (GTK+ runtime)
libwxgtk2.8-dbg - wxWidgets Cross-platform C++ GUI toolkit (GTK+ debug)
libwxgtk2.8-dev - wxWidgets Cross-platform C++ GUI toolkit (GTK+ development)
libwxmsw2.8-dbg - wxMSW mingw32msvc-cross (debug)
libwxmsw2.8-dev - wxMSW mingw32msvc-cross
python-wxgtk2.8 - wxWidgets Cross-platform C++ GUI toolkit (wxPython binding)
python-wxgtk2.8-dbg - wxWidgets Cross-platform C++ GUI toolkit (wxPython
binding, debug
python-wxtools - wxWidgets Cross-platform C++ GUI toolkit (wxPython common
files)
python-wxversion - wxWidgets Cross-platform C++ GUI toolkit (wxPython version
select
wx-common - wxWidgets Cross-platform C++ GUI toolkit (common support files)
wx2.8-doc - wxWidgets Cross-platform C++ GUI toolkit (documentation)
wx2.8-examples - wxWidgets Cross-platform C++ GUI toolkit (examples)
wx2.8-headers - wxWidgets Cross-platform C++ GUI toolkit (header files)
wx2.8-headers-msw - Extra wxWidgets headers for mingw32msvc-cross
wx2.8-i18n - wxWidgets Cross-platform C++ GUI toolkit (i18n support)
Closes: 479738 518540 560917
Changes:
wxwidgets2.8 (2.8.10.1-2) unstable; urgency=low
.
* set wx2.8-i18n Section to localization
* python-wxversion doesn't have to depend on 'python-wxgtk2.6 |
python-wxgtk2.8' (Closes: #479738)
* fix to install correctly under Python 2.6 (see bug #557943)
* make wxwidgets 2.8 the default
* Fix spelling errors in wxversion help (Closes: #518540)
* add patch, fix-build-with-python2.6, to make things get installed to
the correct places with the multiversion stuff
* add libexpat1-dev to build deps and pass --with-expat=sys to
configure (Closes: #560917)
Checksums-Sha1:
3ff046678cb23fe54a76b0257fc4b9f9853d0657 1903 wxwidgets2.8_2.8.10.1-2.dsc
927f953c2c5c40b66928c27765211978aa0c585b 64494 wxwidgets2.8_2.8.10.1-2.diff.gz
4be71de825c9c32ef3e966bc6915aa31b9432c81 697204
libwxbase2.8-0_2.8.10.1-2_i386.deb
86f3de470a1365293661059ee80d83d68e40347f 101100
libwxbase2.8-dev_2.8.10.1-2_i386.deb
cbac9e16ad8449e54fc8c21b70847c5b3e577b46 3702782
libwxbase2.8-dbg_2.8.10.1-2_i386.deb
ab8dc9130365155d32930d74072f686a9ece85dc 3491404
libwxgtk2.8-0_2.8.10.1-2_i386.deb
030f4d5ab653abdae7252b96d502b22c03165af7 101406
libwxgtk2.8-dev_2.8.10.1-2_i386.deb
af833fb5deb0b3af47cee54b9e206ee1a84ea8d4 24221538
libwxgtk2.8-dbg_2.8.10.1-2_i386.deb
4ef1d8ada4f60274aa9011116bae023907bf3cb1 9171822
python-wxgtk2.8_2.8.10.1-2_i386.deb
faad3cffbede359a3d868f26937b95f2586c3512 35703594
python-wxgtk2.8-dbg_2.8.10.1-2_i386.deb
7e89ade31db28240cc8e30c35fa9133aec974ce0 120498 wx-common_2.8.10.1-2_i386.deb
06ee6dc7eacb0ee23ffa3ca75aa51b46c79ab224 1121180
wx2.8-headers_2.8.10.1-2_i386.deb
9ab0fbdac38b086dd279770fc3ec51669e299b56 87180
python-wxversion_2.8.10.1-2_all.deb
8b39b4f91012d011d320250bf9cfe892b5841475 88090
python-wxtools_2.8.10.1-2_all.deb
e4b3fe746faeea24a7556e706f858dea9e71162e 846778 wx2.8-i18n_2.8.10.1-2_all.deb
7a4598343d532b5b450b75e9db0c470962381586 2087172 wx2.8-doc_2.8.10.1-2_all.deb
dc6b0f86767ec9d867ff9993c9a801144e64945e 7165008
wx2.8-examples_2.8.10.1-2_all.deb
Checksums-Sha256:
6cc5ba07b13a35f64ebf96a624bcfa39cc74385802e5415835f9b1e7efc69076 1903
wxwidgets2.8_2.8.10.1-2.dsc
87bcfe534530af107ede07902e9052b0c0d38485ba9c17a981b29f0a0c6a05d5 64494
wxwidgets2.8_2.8.10.1-2.diff.gz
21e6ab25f9c3f163beffb0153e2981b427a37323ee89e9781ce9fc2c9395ac5e 697204
libwxbase2.8-0_2.8.10.1-2_i386.deb
7c8239421b637bfd4fd838443fa88560af3c2246bbbf3dacba8661ff70d46066 101100
libwxbase2.8-dev_2.8.10.1-2_i386.deb
64ea105eb476c7a8b0330c113b5174706f05b6825c011980ba88522539ba8fac 3702782
libwxbase2.8-dbg_2.8.10.1-2_i386.deb
557c56b2f0afa25870a20be00542b9e185e91807bf6c6d5f99c5dee760910fa1 3491404
libwxgtk2.8-0_2.8.10.1-2_i386.deb
f9b7861ff2a1f2ee952b5cb8940c2123d3cb4af94b6d49f1dc0f271668485674 101406
libwxgtk2.8-dev_2.8.10.1-2_i386.deb
4fee724dfa72e25fbddc4b734077181b5b45d9cf930d7e081dac37a242f5fabf 24221538
libwxgtk2.8-dbg_2.8.10.1-2_i386.deb
00a4e234dc8e6e46552333f5f470d221088f0aa9544a179a852e9110bc15e0eb 9171822
python-wxgtk2.8_2.8.10.1-2_i386.deb
7471c3684e7684682957257983526ea1897a7172c020819ddd4480b4a5b75d8b 35703594
python-wxgtk2.8-dbg_2.8.10.1-2_i386.deb
848a816a039eacb1644578e796f3157b3c06ca5dad7f255ced7c1a12dbc330e5 120498
wx-common_2.8.10.1-2_i386.deb
a181032a5ab517302fb6b3de318a649df0028659bbfbddba660435d26ab4619a 1121180
wx2.8-headers_2.8.10.1-2_i386.deb
64bf974e113ffe9a2dc4725042d00be38b54bb360302315e824d202e120fdeee 87180
python-wxversion_2.8.10.1-2_all.deb
b6133ee58c7d6b0286f31b4003a8a335a2b29f23712c648a9e94ad08facb1505 88090
python-wxtools_2.8.10.1-2_all.deb
cb1b3f6b5971a8e7696de80d6ee8bf1bb76d5e3781748016a9a302e61baa0151 846778
wx2.8-i18n_2.8.10.1-2_all.deb
8e7e253f52252a935237b1d1402444a31382e95f740889bdd0f6aa4798e0f1c8 2087172
wx2.8-doc_2.8.10.1-2_all.deb
14eebbcc6a5feab729227a3dbe133face599c70835ccfb57b642ceb8cfe721f4 7165008
wx2.8-examples_2.8.10.1-2_all.deb
Files:
b4963bc10cfa17ab407ff3182054713c 1903 libs optional wxwidgets2.8_2.8.10.1-2.dsc
2afd686ef939db5dcac4eb294dddc5b6 64494 libs optional
wxwidgets2.8_2.8.10.1-2.diff.gz
c3a584bde5d564ac25f7df19654f1cdd 697204 libs optional
libwxbase2.8-0_2.8.10.1-2_i386.deb
09bb358633cd34bdcf3bf536e1454ac6 101100 libdevel optional
libwxbase2.8-dev_2.8.10.1-2_i386.deb
df7e5950bbb265fe6cd71b1159d817b0 3702782 debug extra
libwxbase2.8-dbg_2.8.10.1-2_i386.deb
d86d0767b156e3560e29420e31045670 3491404 libs optional
libwxgtk2.8-0_2.8.10.1-2_i386.deb
91ee5e8167e06d4fd20eb80cfe43cb1d 101406 libdevel optional
libwxgtk2.8-dev_2.8.10.1-2_i386.deb
53cdcbe4289378d0d1ee9495deb7d479 24221538 debug extra
libwxgtk2.8-dbg_2.8.10.1-2_i386.deb
afcc4b4b0b1deaeb8eb7e999c718ab93 9171822 python optional
python-wxgtk2.8_2.8.10.1-2_i386.deb
e78a11cc8f59e5c53b1ed919e464e3f0 35703594 debug extra
python-wxgtk2.8-dbg_2.8.10.1-2_i386.deb
547099a603afaf6b8d040b9136b3c5bd 120498 devel optional
wx-common_2.8.10.1-2_i386.deb
216de6ba4ec36407aa9ce248a7b6e24c 1121180 devel optional
wx2.8-headers_2.8.10.1-2_i386.deb
3d83add0926bf894cf83393e67bd61e2 87180 python optional
python-wxversion_2.8.10.1-2_all.deb
caf0b05581747e54ccec4eadb0e09c05 88090 python optional
python-wxtools_2.8.10.1-2_all.deb
1507bdb2511c4d322609b10744d7ee1e 846778 localization optional
wx2.8-i18n_2.8.10.1-2_all.deb
d788b3e8d75b0a0c2d849021e220890d 2087172 doc optional
wx2.8-doc_2.8.10.1-2_all.deb
1251932c395a9a2556006a336a4ee7f0 7165008 devel optional
wx2.8-examples_2.8.10.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkslYX8ACgkQMihv+PacasW11wCgzWwnBfFlzcgPEz1pdpJ7Q51N
a5AAnRYqdtROFIFtduY+7dGACPh+Z4SN
=745c
-----END PGP SIGNATURE-----
--- End Message ---
