Your message dated Sat, 19 May 2007 10:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#423433: fixed in gnash 0.7.2+cvs20070518.1557-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: gnash
Version: 0.7.2-1
Severity: grave
Tags: security patch
Justification: user security hole
A vulnerability has been found in gnash:
CVE-2007-2500:
"server/parser/sprite_definition.cpp in GNU Gnash (aka GNU Flash
Player) 0.7.2 allows remote attackers to execute arbitrary code via a
large number of SHOWFRAME elements within a DEFINESPRITE element,
which triggers memory corruption and enables the attacker to call free
with an arbitrary address, probably resultant from a buffer overflow."
At least 0.7.2-1 in lenny is affected. Please check whether this is fixed
in 0.7.2+cvs20070428.1515-1.
A patch is at http://savannah.gnu.org/bugs/?19774
--- End Message ---
--- Begin Message ---
Source: gnash
Source-Version: 0.7.2+cvs20070518.1557-1
We believe that the bug you reported is fixed in the latest version of
gnash, which is due to be installed in the Debian FTP archive:
gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
gnash_0.7.2+cvs20070518.1557-1.diff.gz
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1.diff.gz
gnash_0.7.2+cvs20070518.1557-1.dsc
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1.dsc
gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1_i386.deb
gnash_0.7.2+cvs20070518.1557.orig.tar.gz
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557.orig.tar.gz
konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miriam Ruiz <[EMAIL PROTECTED]> (supplier of updated gnash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 18 May 2007 15:57:38 +0000
Source: gnash
Binary: gnash-cygnal gnash-tools libgnash0 mozilla-plugin-gnash
konqueror-plugin-gnash gnash
Architecture: source i386
Version: 0.7.2+cvs20070518.1557-1
Distribution: unstable
Urgency: low
Maintainer: Miriam Ruiz <[EMAIL PROTECTED]>
Changed-By: Miriam Ruiz <[EMAIL PROTECTED]>
Description:
gnash - free Flash movie player
gnash-cygnal - free Flash movie player - Media server
gnash-tools - free Flash movie player - Command-line Tools
konqueror-plugin-gnash - free Flash movie player - Plugin for Konqueror
libgnash0 - free Flash movie player - shared libraries
mozilla-plugin-gnash - free Flash movie player - Plugin for Mozilla and
derivatives
Closes: 423433 423884
Changes:
gnash (0.7.2+cvs20070518.1557-1) unstable; urgency=low
.
* New Upstream Release. Downloaded from CVS.
* Depending on libcurl?-gnutls-dev instead of libcurl?-openssl-dev for
not depending on OpenSSL (incompatible with GPL license). Closes: #423884
* Closes: #423433 , memory corruption vulnerability in gnash, due to a out
of bounds memory access ( http://savannah.gnu.org/bugs/?19774 )
* gstreamer0.10-audiosink is a virtual package, modifying control.
* Updated dependencies to use libcurl4 instead of libcurl3.
* Depending on swfmill for check (as well as from ming and mtasc)
* Make check is fatal error now.
* Upload sponsored by Petter Reinholdtsen.
Files:
7b91327c6694642f53216a8fbf0929a7 1330 utils optional
gnash_0.7.2+cvs20070518.1557-1.dsc
60ef2d568a9f0555e2a9533aa5db17d1 3198312 utils optional
gnash_0.7.2+cvs20070518.1557.orig.tar.gz
e0860f2f4c90c093de49fab645d94560 50129 utils optional
gnash_0.7.2+cvs20070518.1557-1.diff.gz
33833e0c3d7818171e421d85ad38a2aa 1755126 libs optional
libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
3df1b8b4a74d66c522b45fcacbe24f61 224696 utils optional
gnash_0.7.2+cvs20070518.1557-1_i386.deb
98f4cf247025622dbc0e7925db5e461e 240804 utils optional
gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
a6898d90a965fdadcc06dd15f83bb0ba 234148 utils optional
gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
86e1a62c08dc7d58773c25506b558377 232764 utils optional
mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
981f8b4cda893ae20b25ff49d8008069 240882 utils optional
konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGTtR620zMSyow1ykRAiuFAKC0Qve5UAc53R3qPYt8RY6Uf+OUIgCgsiZo
k3qHtuJYA4BB3YpHwm8IV/A=
=k4ms
-----END PGP SIGNATURE-----
--- End Message ---
