Your message dated Thu, 26 Mar 2015 21:19:24 +0000
with message-id <[email protected]>
and subject line Bug#780989: fixed in dulwich 0.9.7-3
has caused the Debian Bug report #780989,
regarding dulwich: CVE-2014-9706: does not prevent to write files in commits
with invalid paths to working tree
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
780989: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780989
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dulwich
Version: 0.9.8-1
Severity: grave
Tags: security upstream fixed-upstream
Hi Jelmer,
the following vulnerability got a separate CVE assigned after asking
for it on oss-security. I choose grave as severity as it allows
arbitrary code execution, if one clones from a remote git repo and
subsequently commits via dulwich. Please let me know if you don't
agree.
CVE-2014-9706[0]:
does not prevent to write files in commits with invalid paths to working tree
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9706
Please adjust the affected versions in the BTS as needed (I guess the
issue is also present in 0.8.5, but have not yet checked this).
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dulwich
Source-Version: 0.9.7-3
We believe that the bug you reported is fixed in the latest version of
dulwich, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jelmer Vernooij <[email protected]> (supplier of updated dulwich package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Mar 2015 22:34:34 +0000
Source: dulwich
Binary: python-dulwich python-dulwich-dbg
Architecture: source amd64
Version: 0.9.7-3
Distribution: jessie
Urgency: medium
Maintainer: Jelmer Vernooij <[email protected]>
Changed-By: Jelmer Vernooij <[email protected]>
Description:
python-dulwich - Python Git library
python-dulwich-dbg - Python Git library - Debug Extension
Closes: 780958 780989
Changes:
dulwich (0.9.7-3) testing-proposed-updates; urgency=medium
.
* Add 02_cve_2015-0838: Fix buffer overflow in C implementation of
apply_delta (CVE-2015-0838). Closes: #780958
* Add 03_cve_2014-9706: Don't allow writing to files under .git/ when
checking out working trees (CVE-2014-9706). Closes: #780989
Checksums-Sha1:
df95be1d3a9f9f0e0efad54d6cee1032e250d780 2084 dulwich_0.9.7-3.dsc
7c7362c1afb76a87ab6e6ead6e78a465bc2eee2e 407536 dulwich_0.9.7-3.debian.tar.xz
5d7b2ea3b0d894dce544429ea3795497c824b177 192144
python-dulwich_0.9.7-3_amd64.deb
0897ca2853620f697e93156d7a8e5dc1e4e075c4 68930
python-dulwich-dbg_0.9.7-3_amd64.deb
Checksums-Sha256:
2ed1f4b70a46401dd86d119c11caa694e1f592734c7ab2a5e39b87a4de00d0bb 2084
dulwich_0.9.7-3.dsc
1f4b1095e39077e51919c7cd6a43bd667790aee3227c3ae3d39cf150b9ce4a1c 407536
dulwich_0.9.7-3.debian.tar.xz
df53edc4554cf8d9c6557d262fc9e988a250ae09addf555b3415865b9ed2c4d8 192144
python-dulwich_0.9.7-3_amd64.deb
5d383f70892b9e7697541986127aadbf5526cbb440082b88928c2c0cf1a70d30 68930
python-dulwich-dbg_0.9.7-3_amd64.deb
Files:
ff5dcc3118fc447178983bbb2e71f7cf 2084 python optional dulwich_0.9.7-3.dsc
373fa036faa90ad153b572910b93d8ab 407536 python optional
dulwich_0.9.7-3.debian.tar.xz
4c34ece84548ab183ae5a7927800fd2e 192144 python optional
python-dulwich_0.9.7-3_amd64.deb
05c1349c47b67ab45f5612b54a61b616 68930 debug extra
python-dulwich-dbg_0.9.7-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVFHXOAAoJEACAbyvXKaRXzosP/RqjYIrEpsRCBnoA2xEOsze3
SN2MO+oTTPfulKNEIqkWfz6VxfagQPl2C+0g7yLs7DztHz7R/9LRpVV0f8sPUBnb
7avw5SV4pTANwsYnTRHuHrxCmO/FywfpArnZJW7j1vvwyxG3H3153vou/TaXKQuS
9YuRjMHPU/of8+twbSqwxk6sadxfLsHo21ANf4D7h5vkrSoqQy6j+eDIgRUOMgNq
lI9PZb7ixMZ+6d3gnyFrcOgBLtgpX3cowQ6+ApWuQFQUwWk1gk4Rwyp6rMrcgM4J
lxufTxqvTjJ5b1gQ8yMQyBfEmsJslv5e6v+BTei1sKB9kA7jTFGzHZtRxNIjS6Sm
WDZWG1I8AWGmWuarnt69EiYbNj8HaT6lQlVAinki8yfCwpMhC3XBNYvOuBSH0A5f
OMmb6zcse2Ak+WGcJhvcO3clTE1tE8D5FzXlVVI7cFes3n279XHwglRBQ0PiSYn4
1Or+RHsLZp+yWGqqmQlINhhzQV9itmQq6DFBsKjAgFJJUm4CYNNNsgJ5GsO7cTI4
2K/4PsIzDpvtKYVJ0c8PDoBzNxn/23aCytzHwr5JXETXuKEy0wYMQUAkZqtGV3+y
ONLiqmgVC4kEVlEv8WNBNqUyshblSwWk9kGVJcji5UvcOT9jqXhcgQOsSona8vgv
1jxajMogRh5BLbyvGoJG
=mG6q
-----END PGP SIGNATURE-----
--- End Message ---
