Bug#332524: marked as done (xloadimage: Exploitable buffer overflow in NIFF loading code)

Sat, 08 Oct 2005 07:48:44 -0700 

Your message dated Sat, 08 Oct 2005 07:32:05 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#332524: fixed in xloadimage 4.1-15
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Oct 2005 22:06:55 +0000
>From [EMAIL PROTECTED] Thu Oct 06 15:06:55 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1ENdt9-0000dv-00; Thu, 06 Oct 2005 15:06:55 -0700
Received: from dslb-082-083-223-230.pools.arcor-ip.net ([82.83.223.230] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1ENdt4-0004TI-HZ
        for [EMAIL PROTECTED]; Fri, 07 Oct 2005 00:06:50 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.54)
        id 1ENdu0-0001NR-Ku; Fri, 07 Oct 2005 00:07:48 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: xloadimage: Exploitable buffer overflow in NIFF loading code
X-Mailer: reportbug 3.17
Date: Fri, 07 Oct 2005 00:07:48 +0200
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 82.83.223.230
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: xloadimage
Severity: grave
Tags: security
Justification: user security hole

A report about several buffer overflows in the xloadimage code for
processing NIFF images has been posted to Bugtraq. Please see
http://msgs.securepoint.com/cgi-bin/get/bugtraq0510/57.html
for details and a demo exploit.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

---------------------------------------
Received: (at 332524-close) by bugs.debian.org; 8 Oct 2005 14:38:36 +0000
>From [EMAIL PROTECTED] Sat Oct 08 07:38:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1EOFk5-0001AU-00; Sat, 08 Oct 2005 07:32:05 -0700
From: James Troup <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#332524: fixed in xloadimage 4.1-15
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 08 Oct 2005 07:32:05 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: xloadimage
Source-Version: 4.1-15

We believe that the bug you reported is fixed in the latest version of
xloadimage, which is due to be installed in the Debian FTP archive:

xloadimage_4.1-15.diff.gz
  to pool/main/x/xloadimage/xloadimage_4.1-15.diff.gz
xloadimage_4.1-15.dsc
  to pool/main/x/xloadimage/xloadimage_4.1-15.dsc
xloadimage_4.1-15_i386.deb
  to pool/main/x/xloadimage/xloadimage_4.1-15_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Troup <[EMAIL PROTECTED]> (supplier of updated xloadimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Oct 2005 04:22:14 +0100
Source: xloadimage
Binary: xloadimage
Architecture: source i386
Version: 4.1-15
Distribution: unstable
Urgency: high
Maintainer: James Troup <[EMAIL PROTECTED]>
Changed-By: James Troup <[EMAIL PROTECTED]>
Description: 
 xloadimage - Graphics file viewer under X11
Closes: 332524
Changes: 
 xloadimage (4.1-15) unstable; urgency=HIGH
 .
   * 17_security-sprintf.dpatch: new patch to fix unsafe sprintf usage.
     Reported by Ariel Berkman <[EMAIL PROTECTED]>.  Closes: #332524
 .
   * Merge NMU changes from Joey Hess and dpatch-ify.
Files: 
 9d5a8e1a5c800fb0923b70d36579b826 1247 graphics optional xloadimage_4.1-15.dsc
 546f446c617456d1a0187be57fe09ec6 67508 graphics optional 
xloadimage_4.1-15.diff.gz
 0f665ac13f55da09802364a9f6142833 113474 graphics optional 
xloadimage_4.1-15_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQIUAwUBQ0c8C9fD8TGrKpH1AQIBng/4iMyuvlCG1GcC1+wFpJOB00Br1XcLSDrw
9eaVb+rfs2XfKVW4zL5esY3QpO1u9XHb9izENJU2yV7a9DcPKn542prfCC+4S+rP
JP4cuPktY/+p/OjDskOh9r9FT/5Ress2b+EJOKHuZMyrDkv8CLTN3TXBkp46W3Eq
MtJzbqVX2lrnSCTINVy37HJM32f8qn/3Hg9wXVkqHt7DS51or/dpUyWXnoHvbqYw
NPTnib8x3Hdvqfnwx3CYba9Bwwc1qSiHQNOtU0o826SXL2G6FDfhFsP4eBxH1EmV
RfBzVR5pRkpJFf71Grb363FCI5z/7t8LAXLYk6F4oUg2FnTccyw246G3mZZ1QprN
ZEHPXEc0267P77/pg6M6IbLsUqjwJhl9kxxQ8OQt7AAfQ9lz4HKIo7XsuuOcOiU1
1EXDbdQbBONzYfKV0SkRjTL1rIbL8dAcEfeIjzmdWktjgsF78+wzv8XVr5IIH14Y
F85WPg35Ftw1XVHwi814aB29Xd0HNOpa0kYtop1xx60HsfaeQ37FlljgZhsRq8SZ
iecI8Vpv9TUqyki/HyM0gyz9Ab03BQNvxmJrYyRKxNKbX/PpAY+OzYQrF64zgK36
0gUWK/Ap1hbi/Ui8ZsLphxrMsO64COP5OQpdsOHC0C8OVo8Bh8DNCUbWrMDHwj1Q
1kbnVJ7+mA==
=NARo
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to