Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
On Sat, Dec 07, 2013 at 08:29:54AM +0100, Andreas Tille wrote: Thanks for droping us this note. Could you be so kind to provide a link to SVN to enable us cherry picking the patch? Do you plan to do a release in the short future? Not necessarily the short future, but ideally sometime in Jan/Feb realistically. The SVN commit is #3529. Eg see: https://sourceforge.net/p/staden/code/3529/ PS: BTW, James, did you noticed our Debian Med sprint https://wiki.debian.org/DebianMed/Meeting/Aberdeen2014 ? No I wasn't, but I won't be attending. Thanks for pointing it out though. James -- James Bonfield (j...@sanger.ac.uk) | Hora aderat briligi. Nunc et Slythia Tova | Plurima gyrabant gymbolitare vabo; A Staden Package developer: | Et Borogovorum mimzebant undique formae, https://sf.net/projects/staden/ | Momiferique omnes exgrabure Rathi. -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
Hi James, On Tue, Dec 03, 2013 at 10:16:11AM +, James Bonfield wrote: I now believe this to be fixed in SVN. Hopefully it hasn't broken anything either, although I don't have any valid tar files using that particular prefix encoding to test on. Thanks for droping us this note. Could you be so kind to provide a link to SVN to enable us cherry picking the patch? Do you plan to do a release in the short future? Kind regards Andreas. PS: BTW, James, did you noticed our Debian Med sprint https://wiki.debian.org/DebianMed/Meeting/Aberdeen2014 ? -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
I now believe this to be fixed in SVN. Hopefully it hasn't broken anything either, although I don't have any valid tar files using that particular prefix encoding to test on. James -- James Bonfield (j...@sanger.ac.uk) | Hora aderat briligi. Nunc et Slythia Tova | Plurima gyrabant gymbolitare vabo; A Staden Package developer: | Et Borogovorum mimzebant undique formae, https://sf.net/projects/staden/ | Momiferique omnes exgrabure Rathi. -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
Le Sun, Nov 10, 2013 at 09:20:08PM -0500, Sang Kil Cha a écrit : Package: staden-io-lib-utils Version: 1.12.4-1 Severity: grave Tags: security Justification: user security hole index_tar has a buffer overflow vulnerability. A PoC file is attached. Hello, thanks for the report. Have you also submitted it upstream ? Do you have a suggestion on how to solve the problem ? Cheers, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
Hi, Yes I think I did submitted it to upstream. I don't have a particular patch, but I believe it is trivial to add a check for the overflow. Thanks, Sang Kil On Sat, Nov 30, 2013 at 3:40 AM, Charles Plessy ple...@debian.org wrote: Le Sun, Nov 10, 2013 at 09:20:08PM -0500, Sang Kil Cha a écrit : Package: staden-io-lib-utils Version: 1.12.4-1 Severity: grave Tags: security Justification: user security hole index_tar has a buffer overflow vulnerability. A PoC file is attached. Hello, thanks for the report. Have you also submitted it upstream ? Do you have a suggestion on how to solve the problem ? Cheers, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: [Debian-med-packaging] Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
Le Sat, Nov 30, 2013 at 04:01:50AM -0500, Sang Kil Cha a écrit : Yes I think I did submitted it to upstream. Hi again, I do not see it in the Upstream bugtracker. Can you also submit it there ? http://sourceforge.net/p/staden/bugs/ Have a nice Sunday, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#729276: staden-io-lib-utils: bufferoverflow in index_tar
Package: staden-io-lib-utils Version: 1.12.4-1 Severity: grave Tags: security Justification: user security hole index_tar has a buffer overflow vulnerability. A PoC file is attached. $ gdb --args /usr/bin/index_tar foo Program received signal SIGSEGV, Segmentation 0x41414141 in ?? () (gdb) -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-3-686-pae (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages staden-io-lib-utils depends on: ii libc62.13-38 ii libstaden-read1 1.12.4-1 staden-io-lib-utils recommends no packages. staden-io-lib-utils suggests no packages. -- no debconf information foo Description: Binary data