Your message dated Wed, 23 Nov 2016 06:33:53 +0000
with message-id <e1c9r7x-0008mo...@fasolo.debian.org>
and subject line Bug#773747: fixed in pgpdump 0.31-0.1
has caused the Debian Bug report #773747,
regarding pgpdump: CVE-2016-4021: endless loop parsing specially crafted input
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
773747: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773747
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pgpdump
Version: 0.28-1
Usertags: afl
pgpdump hangs when trying to dump the attached crafted file.
strace tells me it's repeatedly trying to read past EOF:
read(0, "", 8192) = 0
read(0, "", 8192) = 0
read(0, "", 8192) = 0
read(0, "", 8192) = 0
read(0, "", 8192) = 0
[...ad infinitum...]
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages pgpdump depends on:
ii libbz2-1.0 1.0.6-7+b2
ii libc6 2.19-13
ii zlib1g 1:1.2.8.dfsg-2+b1
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: pgpdump
Source-Version: 0.31-0.1
We believe that the bug you reported is fixed in the latest version of
pgpdump, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated pgpdump
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Nov 2016 01:23:35 -0500
Source: pgpdump
Binary: pgpdump
Architecture: source
Version: 0.31-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jose Luis Rivas <ghost...@debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Description:
pgpdump - PGP packet visualizer
Closes: 773747 845390
Changes:
pgpdump (0.31-0.1) unstable; urgency=medium
.
[ Daniel Kahn Gillmor ]
* Non-maintainer upload (Closes: #845390, #773747)
* use https URLs for Vcs-*
* wrap-and-sort -ast
* use dh_autoreconf
* move to dh 10
* imported patches from Peter Pentchev, already upstreamed
* make debian/test work correctly
* set up autopkgtest
.
[ Peter Pentchev ]
* Bump Standards-Version to 3.9.8 with no changes.
* Switch to HTTPS for the copyright format spec URL, too.
* Break the BSD-3-clause license into a separate section.
* Drop the dirs file, the upstream build system creates them.
* Enable all the hardening build options.
* Switch to the 3.0 (quilt) source format.
* Add Multi-Arch: foreign to the binary package.
* Add an upstream metadata file.
Checksums-Sha1:
e8338d32439ddbdfe83fb8c854f383bcb405766d 2068 pgpdump_0.31-0.1.dsc
cbf4023556257818efbefd91a13e3b57b56af17f 64012 pgpdump_0.31.orig.tar.gz
14fa6e10f08fc6c79f443f5bb885f0b9ade4ca33 6028 pgpdump_0.31-0.1.debian.tar.xz
Checksums-Sha256:
4347417df739ef3636820a3e08edd487127c51929c0b855d3fb198a0b3895746 2068
pgpdump_0.31-0.1.dsc
7abf04a530c902cfb1f1a81c6b5fb88bd2c12b5f3c37dceb1245bfe28f2a7c0b 64012
pgpdump_0.31.orig.tar.gz
bc613d133f844a6cebb4e077b232d33602842418b0cc60ce6c489e4a63d3b319 6028
pgpdump_0.31-0.1.debian.tar.xz
Files:
0b283303b984b8bee9180d27ff7838a4 2068 utils optional pgpdump_0.31-0.1.dsc
7defa0e9d7a12d254107d775c317430a 64012 utils optional pgpdump_0.31.orig.tar.gz
af50db070d1ed7902724d069d712f51d 6028 utils optional
pgpdump_0.31-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKqBAEBCgCUFiEE7bLnT1b88rZyl7c1JOz/Wv9oNwoFAlg1N5VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVE
QjJFNzRGNTZGQ0YyQjY3Mjk3QjczNTI0RUNGRjVBRkY2ODM3MEEWHGRrZ0BmaWZ0
aGhvcnNlbWFuLm5ldAAKCRAk7P9a/2g3CqdDD/4+XbAY6MdsHhgw3gURfCi4L1iW
lfk6ysp1wRQiNbhlBt8Q3cigw6cm0201nsmHfeeagEgBB9BEpxA7v6AtFyeAMIx0
z8laIRSDKaHyA/4gwi8FIv7ozctyZtVkEmRY3Dp1tWUvawzRtVw972Hvc5IzuGEz
GJSGT90GvBhJD43JO+OBNMEH5QmNM9CMGZXFoHsk5wkvgFQM8shDNVoqNF6MGj9t
IQ4jyZgezr6kbmZAcQkHyF6umpDFe7LMcIf5YWARaNjhBGM0rXR02btC3x6QWe40
PZvf+rVqxS+RnO0WSX6A9ZLqQRiyaWcHyApG4OCkHDFVUK3oqZCbp9OyAPadsujC
7cEgog73HOU7bTvbYi10mosgu1ZzVtWHJ23nAFhgVZ7xAOUfYZE2AUyYGFwaGsem
WE5Ls6C03Br1BGRVCGEr+v58a9+brGe46fVXHJWQIduzgT34us05+MrFiWhcPPho
yEP5C0lE8qDL72HIPOJVxKOdQaAo0b+rBy8rgnKbDowot9m81uWKZmY7+fzURb2E
yupf0aRUF1VVcuIc7S6iV7tntiSqnRtJHJZTk7vB3/slAorPHoHszwoY0dbtBLCx
phUDgmVWaHh1VTEXKjylyfOWpAsqHyzTvqdzTpLijVr1DIF07Dm0NL+XgZHTBXyL
/+AcGAX9fIzlHYXj0w==
=J2DK
-----END PGP SIGNATURE-----
--- End Message ---
