Your message dated Sun, 21 Feb 2016 12:17:49 +0000
with message-id <[email protected]>
and subject line Bug#814067: fixed in xdelta3 3.0.0.dfsg-1+deb7u1
has caused the Debian Bug report #814067,
regarding xdelta3: CVE-2014-9765: buffer overflow in main_get_appheader
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
814067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xdelta3
Severity: grave
Tags: security upstream fixed-upstream
xdelta3 before 3.0.9 contains buffer overflow which allows arbitrary
code execution from input files at least on some systems.
3.0.0.dfsg-1 and 3.0.8-dfsg-1 are definitly affected.
08.02.2016 в 06:57:12 +0100 Salvatore Bonaccorso написал:
> On Sun, Feb 07, 2016 at 07:05:12PM +0400, Stepan Golosunov wrote:
> > This appears to be fixed in xdelta3 3.0.9 and later via
> > https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
> > but not in Debian.
> >
> > What should be done next? Should I open a bug?
>
> Yes, since the commit is in the public git repo I think it is best to
> open a bug in the Debian BTS.
> p.s.: Just noticed there seem to be two git repositories by jmacd, the
> commit is as well in
>
> https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8
README.md says that this repository contains old data from
https://code.google.com/p/xdelta. Newer code and releases are
currently only in xdelta-devel.
--- End Message ---
--- Begin Message ---
Source: xdelta3
Source-Version: 3.0.0.dfsg-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
xdelta3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated xdelta3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Feb 2016 14:35:03 +0100
Source: xdelta3
Binary: xdelta3 python-xdelta3
Architecture: source amd64
Version: 3.0.0.dfsg-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: A Mennucc1 <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
python-xdelta3 - Xdelta3 python module
xdelta3 - A diff utility which works with binary files
Closes: 814067
Changes:
xdelta3 (3.0.0.dfsg-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067)
Checksums-Sha1:
9e9f261d46bdb773d803a9c47ca0bfb74ef4462b 1806 xdelta3_3.0.0.dfsg-1+deb7u1.dsc
ca8ffc1a74f5808411d3abb3f83bb1f978725295 173789 xdelta3_3.0.0.dfsg.orig.tar.bz2
7c3f6f2ee0d205860eba8a1a4c91823494972b8b 10596
xdelta3_3.0.0.dfsg-1+deb7u1.debian.tar.gz
651ae3d1adf288e899a019f134c215eafaad3788 83974
xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
c86fe011c356dc2048d675276c3139eb37972de7 153034
python-xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
Checksums-Sha256:
88cfe5ea7249c852216fb8dfca66f0298aa0d6d6b5251e2d06d3adb9ce62ca21 1806
xdelta3_3.0.0.dfsg-1+deb7u1.dsc
dc486b24600aa21a40e5bf28308fdfecd54c2fd64d5ca78a81c9036521fd2fc3 173789
xdelta3_3.0.0.dfsg.orig.tar.bz2
05a41e80749c043541ba4a3a7ac86d9fca737cf19a8b2e6417931312e2b84b65 10596
xdelta3_3.0.0.dfsg-1+deb7u1.debian.tar.gz
388de74707c1cb66b551cb4291dd75c1b20a9df456207ddf6de22844f492a931 83974
xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
3088cb2914a5a6ae95f0c2f5358d21c4a95b1bac9118c10512f1d4f545c63ab3 153034
python-xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
Files:
a4523f5be7635241b335eef605c9b843 1806 utils optional
xdelta3_3.0.0.dfsg-1+deb7u1.dsc
a0753ef32a6aac97caf718e193b83172 173789 utils optional
xdelta3_3.0.0.dfsg.orig.tar.bz2
509dfbb7e3de524dc7db2b81a8d20ee2 10596 utils optional
xdelta3_3.0.0.dfsg-1+deb7u1.debian.tar.gz
6007260866bdd289a78fa3ccd05f9395 83974 utils optional
xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
ed404f90df8ead673abefde19e02dd6a 153034 python optional
python-xdelta3_3.0.0.dfsg-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWxxpoAAoJEAVMuPMTQ89El/sP/RbhVcGxIgUHlRp3qIRfdb9D
C2YI8nNxfXXFXfkgpMFIZL2Fl9LecrplbBcmSlIk2waMD32naxl2T6GWlW55o7SR
38oHFS3Te2QeM8s4rAh/Z1rghDbdoG18dqy1iAd1doB/nS317yt9KfuEAFKUmzIZ
d9QSCciYhFX1arkeAxpz0Q+Xp9MA2ZdxSqpNwbYBxLtrnsEHo+lfSHIf/9JlfuWM
b7TTGbGVPbAfd2nSMRC/I3sRAymBg5ZPdD6YbswJH+hUvkAeclVDgUAInoC2Sn7h
pPrWApZChCy/V14+wxzQ2/BJZaKVyayrsP/Jo3kn5wLSu9rSEF95zySFy/WQsf5r
/az5m+EX5K6lGWvJuW0ql231sCQU34T/u2RDlrD0REMUkIBJa7/0D0oSIplagVHv
evpEH/OW6IlsGPwjHdtq5+YQL8NYrO5u9i6Fm8/QhAvCre8x6Ibhf+zJzUikWOg7
/Sqvr21i0aYJiYGp1agoDHx0iH0IqK4sslm4Pug+1Ya3VSujt/J449peR9ZK+9A5
LFvCQViVFulOIyRWtlTaYC16G3AW1QR8tK8a6z1MVA2sZA3RpqN+bE/s/9qbkul4
ikEH4v4GAd7gce50n6PVtnVPKbuRyeeQ0iBkwFRjFdc80d6nk9pBdodtSNvEmsGB
cJtiq2Q7Ahd9frCtaFwv
=zi/j
-----END PGP SIGNATURE-----
--- End Message ---
