Your message dated Thu, 28 Aug 2008 01:59:32 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#496851: yelp: does not correctly handle format strings
for certain error messages
has caused the Debian Bug report #496851,
regarding yelp: does not correctly handle format strings for certain error
messages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
496851: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496851
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: yelp
Version: 2.22.1-6
Severity: grave
Tags: security
Justification: user security hole
yelp is vulnerable to attacks via badly formatted strings for certain error
messages. ubuntu recently released a fix for this problem [1]. the issue
is described as:
Aaron Grattafiori discovered that the Gnome Help Viewer did not handle
format strings correctly when displaying certain error messages. If a
user were tricked into opening a specially crafted URI, a remote attacker
could execute arbitrary code with user privileges.
this may or may not be related to CVE-2008-3533 [2]. this should be
considered a high-urgency vulnerability since it allows remote attackers
to exectute arbitrary code.
thank you for the hard work.
[1] http://www.ubuntu.com/usn/usn-638-1
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3533
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages yelp depends on:
ii docbook-xml 4.5-5 standard XML documentation system,
ii gconf2 2.22.0-1 GNOME configuration database syste
ii gnome-doc-utils 0.12.2-1 a collection of documentation util
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libgcc1 1:4.3.1-9 GCC support library
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.2-1 library to load .glade files at ru
ii libglib2.0-0 2.16.5-1 The GLib library of C routines
ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime file
ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.22.0-4 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.11-3 The GTK+ graphical user interface
ii libpango1.0-0 1.20.5-1 Layout and rendering of internatio
ii librarian0 0.8.0-2 Rarian is a documentation meta-dat
ii libstartup-notificatio 0.9-1 library for program launch feedbac
ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.4-2 X11 client-side library
ii libxml2 2.6.32.dfsg-3 GNOME XML library
ii libxslt1.1 1.1.24-2 XSLT processing library - runtime
ii man-db 2.5.2-2 on-line manual pager
ii xml-core 0.11 XML infrastructure and XML catalog
ii xulrunner-1.9 1.9.0.1-1 XUL + XPCOM application runner
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages yelp recommends:
ii doc-base 0.8.16 utilities to manage online documen
ii ttf-dejavu 2.25-3 Metapackage to pull in ttf-dejavu-
yelp suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.22.1-4
yelp (2.22.1-4) unstable; urgency=high
* SECURITY: New patch, 60_format-string, fixes format string vulnerability;
bump urgency to high; CVE-2008-3533; GNOME #546364; from SVN r3173;
LP: #254860.
-- Loic Minier <[EMAIL PROTECTED]> Wed, 13 Aug 2008 14:43:03 +0200
On Wed, Aug 27, 2008, Michael Gilbert wrote:
> Package: yelp
> Version: 2.22.1-6
> Severity: grave
> Tags: security
> Justification: user security hole
>
> yelp is vulnerable to attacks via badly formatted strings for certain error
> messages. ubuntu recently released a fix for this problem [1]. the issue
> is described as:
>
> Aaron Grattafiori discovered that the Gnome Help Viewer did not handle
> format strings correctly when displaying certain error messages. If a
> user were tricked into opening a specially crafted URI, a remote attacker
> could execute arbitrary code with user privileges.
>
> this may or may not be related to CVE-2008-3533 [2]. this should be
> considered a high-urgency vulnerability since it allows remote attackers
> to exectute arbitrary code.
>
> thank you for the hard work.
>
> [1] http://www.ubuntu.com/usn/usn-638-1
> [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3533
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.24-etchnhalf.1-686 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages yelp depends on:
> ii docbook-xml 4.5-5 standard XML documentation
> system,
> ii gconf2 2.22.0-1 GNOME configuration database
> syste
> ii gnome-doc-utils 0.12.2-1 a collection of documentation
> util
> ii libbz2-1.0 1.0.5-1 high-quality block-sorting file
> co
> ii libc6 2.7-13 GNU C Library: Shared libraries
> ii libdbus-glib-1-2 0.76-1 simple interprocess messaging
> syst
> ii libgcc1 1:4.3.1-9 GCC support library
> ii libgconf2-4 2.22.0-1 GNOME configuration database
> syste
> ii libglade2-0 1:2.6.2-1 library to load .glade files at
> ru
> ii libglib2.0-0 2.16.5-1 The GLib library of C routines
> ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime
> file
> ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User
> Interf
> ii libgnomevfs2-0 1:2.22.0-4 GNOME Virtual File System
> (runtime
> ii libgtk2.0-0 2.12.11-3 The GTK+ graphical user
> interface
> ii libpango1.0-0 1.20.5-1 Layout and rendering of
> internatio
> ii librarian0 0.8.0-2 Rarian is a documentation
> meta-dat
> ii libstartup-notificatio 0.9-1 library for program launch
> feedbac
> ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3
> ii libx11-6 2:1.1.4-2 X11 client-side library
> ii libxml2 2.6.32.dfsg-3 GNOME XML library
> ii libxslt1.1 1.1.24-2 XSLT processing library -
> runtime
> ii man-db 2.5.2-2 on-line manual pager
> ii xml-core 0.11 XML infrastructure and XML
> catalog
> ii xulrunner-1.9 1.9.0.1-1 XUL + XPCOM application runner
> ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
>
> Versions of packages yelp recommends:
> ii doc-base 0.8.16 utilities to manage online
> documen
> ii ttf-dejavu 2.25-3 Metapackage to pull in
> ttf-dejavu-
>
> yelp suggests no packages.
>
> -- no debconf information
>
>
>
> _______________________________________________
> pkg-gnome-maintainers mailing list
> [EMAIL PROTECTED]
> http://lists.alioth.debian.org/mailman/listinfo/pkg-gnome-maintainers
--
Loïc Minier
--- End Message ---
