Your message dated Wed, 02 Dec 2009 04:34:28 +0000 with message-id <e1nfgv6-0001jx...@ries.debian.org> and subject line Bug#537258: fixed in mathtex 1.03-1 has caused the Debian Bug report #537258, regarding mathtex: CVE-2009-1383 arbirary code execution via crafted dpi tag to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 537258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537258 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mathtex Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for mathtex. CVE-2009-1383[0]: | The getdirective function in mathtex.cgi in mathTeX, when downloaded | before 20090713, allows remote attackers to execute arbitrary commands | via shell metacharacters in the dpi tag. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1383 http://security-tracker.debian.net/tracker/CVE-2009-1383 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.pgpkP0JNqqTcP.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: mathtex Source-Version: 1.03-1 We believe that the bug you reported is fixed in the latest version of mathtex, which is due to be installed in the Debian FTP archive: mathtex_1.03-1.diff.gz to main/m/mathtex/mathtex_1.03-1.diff.gz mathtex_1.03-1.dsc to main/m/mathtex/mathtex_1.03-1.dsc mathtex_1.03-1_i386.deb to main/m/mathtex/mathtex_1.03-1_i386.deb mathtex_1.03.orig.tar.gz to main/m/mathtex/mathtex_1.03.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 537...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Johan Henriksson <maho...@areta.org> (supplier of updated mathtex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 29 Nov 2009 20:21:54 +0100 Source: mathtex Binary: mathtex Architecture: source i386 Version: 1.03-1 Distribution: unstable Urgency: high Maintainer: Johan Henriksson <maho...@areta.org> Changed-By: Johan Henriksson <maho...@areta.org> Description: mathtex - Generate image from LaTeX command Closes: 520216 535862 537253 537258 Changes: mathtex (1.03-1) unstable; urgency=high . * New upstream release. - Fix "CVE-2009-1383 arbitrary code execution via crafted dpi tag" (Closes: #537258) - Fix "CVE-2009-2461 CVE-2009-2460 mult. security issues" (Closes: #537253) * Fix "manpage inconsistency" (Closes: #535862) * Fix "package description" (Closes: #520216) Checksums-Sha1: c2538e22cf33b54464b67a8cf3783c053f6c1c4c 1017 mathtex_1.03-1.dsc 318875e1a91bc6755e2886f61e22e97f14a8d85e 142939 mathtex_1.03.orig.tar.gz 1d106d22b9e8d36cd6bf5a912ffef81708d77a5c 3542 mathtex_1.03-1.diff.gz d32b73167175ebda986abacf5e78e4e0b4f39e32 90206 mathtex_1.03-1_i386.deb Checksums-Sha256: e93f5d8ff94b72006e0ea7d7e65747e9e51291c81d932de75553067d8295fc52 1017 mathtex_1.03-1.dsc 398e98cfcdbd332aba105070ed565b482ff3b20790f56aa59ebcb1fff24a576c 142939 mathtex_1.03.orig.tar.gz e97e753f51c66943a8c9b024e893f3609c2b9542e7d5a0a42b0dcfbf09a7f271 3542 mathtex_1.03-1.diff.gz c7f2842011342a972cf1731f5880887268133d71d43f44c22b62ba6aff3d3927 90206 mathtex_1.03-1_i386.deb Files: 4666bfa0616b7b46994b70aaf9ecdbb7 1017 graphics optional mathtex_1.03-1.dsc c5b2d44a3716a37eaa9157bd92418f19 142939 graphics optional mathtex_1.03.orig.tar.gz 4d045be77190901b32d946efa009e746 3542 graphics optional mathtex_1.03-1.diff.gz 7d5bb0f2d0a07caa1bd11bb9a4ccf68d 90206 graphics optional mathtex_1.03-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksV6iEACgkQpdwBkPlyvgNJcACfWZRgKFuuGqr3XmeHjrB788D9 JYAAnjIdUffcqUIwVEJ5A8yAACscvySK =TLXe -----END PGP SIGNATURE-----
--- End Message ---