[Python-modules-team] Bug#663189: marked as done (buffer overflow in python-pyfribidi)

[Debian Bug Tracking System]

Your message dated Wed, 14 Mar 2012 22:19:39 +0000
with message-id <e1s7wxj-0006qg...@franck.debian.org>
and subject line Bug#663189: fixed in pyfribidi 0.11.0-1
has caused the Debian Bug report #663189,
regarding buffer overflow in python-pyfribidi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
663189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: python-pyfribidi
Architecture: i386
Source: pyfribidi
Version: 0.10.0-2

There's a buffer overflow in pyfribidi:

# python2.6 -c 'import pyfribidi; pyfribidi.log2vis(unichr(0x10000)*5)'
Segmentation fault

The reason is the following (see
https://github.com/pediapress/pyfribidi/issues/2):

fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode
character, i.e. it does not handle unicode character above 0xffff. For a
4 byte utf-8 sequence it will generate 2 unicode characters, which
overflows the logical buffer.

It's fixed with
https://github.com/pediapress/pyfribidi/commit/d2860c655357975e7b32d84e6b45e98f0dcecd7a
(or with pyfribidi 0.11 from pypi)

IMHO the issue is security relevant.

-- 
Cheers
Ralf

--- End Message ---

--- Begin Message ---

Source: pyfribidi
Source-Version: 0.11.0-1

We believe that the bug you reported is fixed in the latest version of
pyfribidi, which is due to be installed in the Debian FTP archive:

pyfribidi_0.11.0-1.debian.tar.gz
  to main/p/pyfribidi/pyfribidi_0.11.0-1.debian.tar.gz
pyfribidi_0.11.0-1.dsc
  to main/p/pyfribidi/pyfribidi_0.11.0-1.dsc
pyfribidi_0.11.0.orig.tar.bz2
  to main/p/pyfribidi/pyfribidi_0.11.0.orig.tar.bz2
python-pyfribidi-dbg_0.11.0-1_amd64.deb
  to main/p/pyfribidi/python-pyfribidi-dbg_0.11.0-1_amd64.deb
python-pyfribidi_0.11.0-1_amd64.deb
  to main/p/pyfribidi/python-pyfribidi_0.11.0-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 663...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmo...@sabily.org> (supplier of updated 
pyfribidi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 10 Mar 2012 10:43:02 +0200
Source: pyfribidi
Binary: python-pyfribidi python-pyfribidi-dbg
Architecture: source amd64
Version: 0.11.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team 
<python-modules-team@lists.alioth.debian.org>
Changed-By: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmo...@sabily.org>
Description: 
 python-pyfribidi - FriBidi Python bindings
 python-pyfribidi-dbg - FriBidi Python bindings (debug symbols)
Closes: 663189
Changes: 
 pyfribidi (0.11.0-1) unstable; urgency=low
 .
   [ أحمد المحمودي (Ahmed El-Mahmoudy) ]
   * New upstream release. (Closes: #663189)
   * debian/control: Updated Standards-Version to 3.9.3
   * Bumped compat level to 9.
   * Removed all patches as they are no longer needed.
   * debian/watch: Added pypi URL.
   * Removed debian/source.lintian-overrides
   * Updated debian/python-pyfribidi.install
 .
   [ Piotr Ożarowski ]
   * DM-Upload-Allowed set to yes
Checksums-Sha1: 
 5c4c6a7dd216d002fa3a3ddbda378ad2a566f282 2285 pyfribidi_0.11.0-1.dsc
 cc9bb369dc56abd91d383d4624bba4b8860b6c16 555875 pyfribidi_0.11.0.orig.tar.bz2
 9567e628227d0774b554b137dbdd87e320de195a 4037 pyfribidi_0.11.0-1.debian.tar.gz
 81a0d7e7e7fe8de7ff7c1ffd327e02a09fdf7b09 55350 
python-pyfribidi_0.11.0-1_amd64.deb
 c070de6d54fc70861756001895db246d58b54420 180504 
python-pyfribidi-dbg_0.11.0-1_amd64.deb
Checksums-Sha256: 
 b17ef6af426c152c0dac333e5f56c50ca0df4f0bd9d2aa688d1454fadb38f6cf 2285 
pyfribidi_0.11.0-1.dsc
 cfd0acea3afb85b5f5d7080ea6482ba47c58eb6635c2152b11566d7227405253 555875 
pyfribidi_0.11.0.orig.tar.bz2
 090823af119ad1732bd63638166c248e25c61e0d56cccaed63d47fe8699ccfa7 4037 
pyfribidi_0.11.0-1.debian.tar.gz
 7442191093a12d2d6956cb8d9e76f133a7c48e6c93c23b1873112b2b6775b1f1 55350 
python-pyfribidi_0.11.0-1_amd64.deb
 43fbbba16654350fbc8221d9f914138b5ef94b6e03da1266bd0adde6034b225b 180504 
python-pyfribidi-dbg_0.11.0-1_amd64.deb
Files: 
 0da8602c000d738c00013002cc3f884c 2285 python optional pyfribidi_0.11.0-1.dsc
 fb6131173d26fe139609973645e33302 555875 python optional 
pyfribidi_0.11.0.orig.tar.bz2
 10768bb9eeffcf39b4e12fda4a99eb88 4037 python optional 
pyfribidi_0.11.0-1.debian.tar.gz
 b2e2ef74867c44f46424e73190bbc450 55350 python optional 
python-pyfribidi_0.11.0-1_amd64.deb
 9005cea73ae78015925821446717ad1b 180504 debug extra 
python-pyfribidi-dbg_0.11.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPYRUpAAoJEK728aKnRXZFVlIP/0FG0QO5gy03VKshh5+lSoE9
eGZmLRAvDlAqkYZq4YSlFP4UqN05KpI0rz1pyRznAL2wu+ruDIOk5IzafwR3Iwly
PQ1XkvJAj1Bz/gobyDeHBDebdXHeRxb7Z1Pvq2qrs9dZveycrLASVit/+Zab37UT
SdfTc6+JYINmyMv3bp6AMtXqLSQcLfUZtKL/lzP1gLualTjP4dQLN9i2a0eSFvdG
Ivz/f524JcRt+JPKpCa5VbJqmpwBxtbG4wNu+z5Tosjd3CcbHM8rK2bXbICkcgNO
xVrkX3uE7rt1YrQU6TAIbK3r26GOyhrbAGfJglpi1oRCRv2f2lxDgnGvCc0+0qi5
M46Lyp0g32HNmzDkqUBDeg7QdrXCY/ImYMLe++hKKBqiPf8Zvzc3URFgNqMBBUax
whlMYHguD/7Akm1lQx78gJdKciGTueR3eBieCwP4e0uYjvxSbOJMglTKam0YCW8r
MWpgqX3OsZS/VKRaAdP7DID3shu/oKBgjzmpi7QQ10t71Q4z8WbxCHKYFxurYPI6
XrVcDG1m//JK69ffELolkLM9Z2Ji1gawVrCv0WIYoMVAmSQrcSTwba4zFYEtZyx1
HNzyL59gJHblxtp3chnDdc36ei/cQWvnKB0Tglz8aAPe1/cSwfP03cVxbk+J7oVz
Wi3LS8N9TNnV+KCW6Ijd
=06+K
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team