Bug#505478: marked as done (CVE-2008-5030: Buffer overflow)

Wed, 12 Nov 2008 14:23:00 -0800 

Your message dated Wed, 12 Nov 2008 21:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#505478: fixed in libcdaudio 0.99.12p2-7
has caused the Debian Bug report #505478,
regarding CVE-2008-5030: Buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
505478: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505478
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libcdaudio
Severity: grave
Tags: security
Justification: user security hole

Hi Daniel, please see
http://www.openwall.com/lists/oss-security/2008/11/05/1
http://www.openwall.com/lists/oss-security/2008/11/07/1

I'm attaching the dpatch I'm using for stable-security for your
convenience. Please upload to unstable with urgency=high and
pester the RMs.

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

#!/bin/sh /usr/share/dpatch/dpatch-run
## 02-cddb-bufferoverflow.dpatch by Moritz Muehlenhoff <[EMAIL PROTECTED]>
##
## DP: CVE-2008-5030

@DPATCH@

diff -aur libcdaudio-0.99.12p2.orig/src/cddb.c libcdaudio-0.99.12p2/src/cddb.c
--- libcdaudio-0.99.12p2.orig/src/cddb.c	2004-09-09 01:26:39.000000000 +0000
+++ libcdaudio-0.99.12p2/src/cddb.c	2008-11-12 21:11:29.000000000 +0000
@@ -1679,7 +1679,7 @@
       free(file);
 	 
       while(!feof(cddb_data)) {
-	fgets(inbuffer, 512, cddb_data);			   
+	fgets(inbuffer, 256, cddb_data);			   
 	cddb_process_line(inbuffer, data);
       }

--- End Message ---
--- Begin Message --- 
Source: libcdaudio
Source-Version: 0.99.12p2-7

We believe that the bug you reported is fixed in the latest version of
libcdaudio, which is due to be installed in the Debian FTP archive:

libcdaudio-dbg_0.99.12p2-7_i386.deb
  to pool/main/libc/libcdaudio/libcdaudio-dbg_0.99.12p2-7_i386.deb
libcdaudio-dev_0.99.12p2-7_i386.deb
  to pool/main/libc/libcdaudio/libcdaudio-dev_0.99.12p2-7_i386.deb
libcdaudio1_0.99.12p2-7_i386.deb
  to pool/main/libc/libcdaudio/libcdaudio1_0.99.12p2-7_i386.deb
libcdaudio_0.99.12p2-7.diff.gz
  to pool/main/libc/libcdaudio/libcdaudio_0.99.12p2-7.diff.gz
libcdaudio_0.99.12p2-7.dsc
  to pool/main/libc/libcdaudio/libcdaudio_0.99.12p2-7.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated libcdaudio package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 12 Nov 2008 22:34:00 +0100
Source: libcdaudio
Binary: libcdaudio1 libcdaudio-dev libcdaudio-dbg
Architecture: source i386
Version: 0.99.12p2-7
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description: 
 libcdaudio-dbg - library for controlling a CD-ROM when playing audio CDs 
(debug)
 libcdaudio-dev - library for controlling a CD-ROM when playing audio CDs 
(developm
 libcdaudio1 - library for controlling a CD-ROM when playing audio CDs
Closes: 505478
Changes: 
 libcdaudio (0.99.12p2-7) unstable; urgency=high
 .
   * Updating vcs fields in control file.
   * Using patch-stamp rather than patch in rules file.
   * Replacing obsolete dh_clean -k with dh_prep.
   * Adding patch from Moritz Muehlenhoff <[EMAIL PROTECTED]> to fix 
bufferoverflow
     with CDDB handling [CVE-2008-5030] (Closes: #505478).
Checksums-Sha1: 
 3eebf514cfd8dc70a4f1fecd1567cd026ed8320b 1211 libcdaudio_0.99.12p2-7.dsc
 2c6a025d674edf82b6dc8ded767b177984188245 5227 libcdaudio_0.99.12p2-7.diff.gz
 9c12e89cafd2a0714695ddd683c0a0ca68c6c434 44804 libcdaudio1_0.99.12p2-7_i386.deb
 15c1c80d0a3c546ec5db2d2689a41efa0dce440d 48350 
libcdaudio-dev_0.99.12p2-7_i386.deb
 38402fb5cb166d14122f89007a5b0249655524e1 47506 
libcdaudio-dbg_0.99.12p2-7_i386.deb
Checksums-Sha256: 
 c809cd5f634ac2f6e55f0fbe5dca73617000f535e4a643111823534f5ca99c46 1211 
libcdaudio_0.99.12p2-7.dsc
 3a5144408aeb24b1e03495ab64ff0ec0ef91612be6d8d4bb80387e8d6bbcf7e4 5227 
libcdaudio_0.99.12p2-7.diff.gz
 de499d70fdc24fb0d2a22fa3969709ff0dd9dd5930eaf9e2f6d1df630220d876 44804 
libcdaudio1_0.99.12p2-7_i386.deb
 f60d407b9e7a0d131b8f9dd6a35239212a4439a0b5a29e91e8911e15fa52269a 48350 
libcdaudio-dev_0.99.12p2-7_i386.deb
 63ddf4126787121d50445fb8698a9d309312f1e800caf0550e298f427ce8df1a 47506 
libcdaudio-dbg_0.99.12p2-7_i386.deb
Files: 
 80f88403871f9c4001393ea5cfa439e5 1211 libs optional libcdaudio_0.99.12p2-7.dsc
 3fde3ac0eee70c540830e8ba454304f3 5227 libs optional 
libcdaudio_0.99.12p2-7.diff.gz
 3814f9ca102514906e082abec18d43bb 44804 libs optional 
libcdaudio1_0.99.12p2-7_i386.deb
 9f6fd3c6c109c7d9df94f4c14c717c4c 48350 libdevel optional 
libcdaudio-dev_0.99.12p2-7_i386.deb
 7ec980026dc2d05a85740dbfd08c51b5 47506 devel extra 
libcdaudio-dbg_0.99.12p2-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEUEARECAAYFAkkbTG0ACgkQ+C5cwEsrK54VKgCg4PW7BXHYFGmj/cZqVH0Uz62s
P8IAl2zpWHRlB2VJ1XjtM9lj0CBEudU=
=FPlA
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to