Your message dated Sat, 14 Dec 2013 16:47:08 +0000 with message-id <e1vrsmu-0002zx...@franck.debian.org> and subject line Bug#725938: fixed in libtar 1.2.16-1+deb7u1 has caused the Debian Bug report #725938, regarding libtar: CVE-2013-4397: Integer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 725938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libtar Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for libtar. CVE-2013-4397[0]: Integer overflow Upstream announcement is at [1] and the commit fixing this issue is at [2]. 1.2.20 upstream fixes this issues too. But see also [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 http://security-tracker.debian.org/tracker/CVE-2013-4397 [1] https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html [2] http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04 [3] http://www.openwall.com/lists/oss-security/2013/10/10/8 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libtar Source-Version: 1.2.16-1+deb7u1 We believe that the bug you reported is fixed in the latest version of libtar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 725...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Magnus Holmgren <holmg...@debian.org> (supplier of updated libtar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 10 Oct 2013 20:23:17 +0200 Source: libtar Binary: libtar-dev libtar0 Architecture: source amd64 Version: 1.2.16-1+deb7u1 Distribution: wheezy-security Urgency: low Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Magnus Holmgren <holmg...@debian.org> Description: libtar-dev - C library for manipulating tar archives (development files) libtar0 - C library for manipulating tar archives Closes: 725938 Changes: libtar (1.2.16-1+deb7u1) wheezy-security; urgency=low . * [SECURITY] size_t-overflow_cve-2013-4397.patch: Fix CVE-2013-4397: Integer overflow (Closes: #725938). Checksums-Sha1: f44c24c8d7ce4e746cc5ecc857fa98aa6c6a9324 1266 libtar_1.2.16-1+deb7u1.dsc 4a0c000592d754b2c9a084861de46b5b9e3d01c5 62041 libtar_1.2.16.orig.tar.gz 3585a2194d953d6ae3a98a652a4203085941cacd 5592 libtar_1.2.16-1+deb7u1.debian.tar.gz e5494415f802e50170b3bfe0a7ec7968aed9dd32 45250 libtar-dev_1.2.16-1+deb7u1_amd64.deb 6a2a8033f4d9ca2ee0ac69ea656f86245535b2cd 24668 libtar0_1.2.16-1+deb7u1_amd64.deb Checksums-Sha256: 9ed036e4383e154b3a462570f77dc852bde869a0d92a02e3992d1abc413e8fd1 1266 libtar_1.2.16-1+deb7u1.dsc e5ae2daa0f984664dcde2229346d252251c873a76abbfedd1ee346354e0ec3f7 62041 libtar_1.2.16.orig.tar.gz 15d0cdbb28b35c5dae9cbdd2b1a0db527b0931c26c8aac93694a9b336ddbe3fd 5592 libtar_1.2.16-1+deb7u1.debian.tar.gz 3f3913f57aec457399933ff85bf33cb99c873b0126c380339b2c79694bd350e6 45250 libtar-dev_1.2.16-1+deb7u1_amd64.deb 44826537d2746557d5f03bb2a38ac9fbf3275147c508f67a69bf259955d47c9e 24668 libtar0_1.2.16-1+deb7u1_amd64.deb Files: b182ce6127890e99b0a23d8934a781eb 1266 libs optional libtar_1.2.16-1+deb7u1.dsc 1f32e6e558f391a72730b8c637bd5544 62041 libs optional libtar_1.2.16.orig.tar.gz e5af389f642ee95b7d6bb1a20e353f91 5592 libs optional libtar_1.2.16-1+deb7u1.debian.tar.gz 64692c05ae723df4e6cea06f4a594917 45250 libdevel optional libtar-dev_1.2.16-1+deb7u1_amd64.deb e8d7940935b903d576cc5a1b49287924 24668 libs optional libtar0_1.2.16-1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlKq4h0ACgkQQWTRs4lLtHnyRgCfaSAyZHL0me1FfgKYIaMcGR2N dk8AoIVquAzAz/z0RhUG1h5xa1Ev0OVN =rnPh -----END PGP SIGNATURE-----
--- End Message ---
