Bug#505399: marked as done (SA32651: OptiPNG BMP Reader Buffer Overflow Vulnerability)

Wed, 12 Nov 2008 14:30:15 -0800 

Your message dated Wed, 12 Nov 2008 21:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#505399: fixed in optipng 0.6.1.1-1
has caused the Debian Bug report #505399,
regarding SA32651: OptiPNG BMP Reader Buffer Overflow Vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
505399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505399
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: optipng
Severity: grave
Tags: security

Hi,

The following SA (Secunia Advisory) id was published for Nagios.

SA32651[1]:
> A vulnerability has been reported in OptiPNG, which potentially can be
> exploited by malicious people to compromise a user's system.
>
> The vulnerability is caused due to a boundary error in the BMP reader and
> can be exploited to cause a buffer overflow by tricking a user into
> processing a specially crafted file.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability is reported in versions prior to 0.6.2.

If you fix the vulnerability please also make sure to include the SA id (or 
the CVE id when one is assigned) in the changelog entry.

[1]http://secunia.com/Advisories/32651/

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Source: optipng
Source-Version: 0.6.1.1-1

We believe that the bug you reported is fixed in the latest version of
optipng, which is due to be installed in the Debian FTP archive:

optipng_0.6.1.1-1.diff.gz
  to pool/main/o/optipng/optipng_0.6.1.1-1.diff.gz
optipng_0.6.1.1-1.dsc
  to pool/main/o/optipng/optipng_0.6.1.1-1.dsc
optipng_0.6.1.1-1_i386.deb
  to pool/main/o/optipng/optipng_0.6.1.1-1_i386.deb
optipng_0.6.1.1.orig.tar.gz
  to pool/main/o/optipng/optipng_0.6.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nelson A. de Oliveira <[EMAIL PROTECTED]> (supplier of updated optipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 12 Nov 2008 08:40:50 -0200
Source: optipng
Binary: optipng
Architecture: source i386
Version: 0.6.1.1-1
Distribution: unstable
Urgency: high
Maintainer: Nelson A. de Oliveira <[EMAIL PROTECTED]>
Changed-By: Nelson A. de Oliveira <[EMAIL PROTECTED]>
Description: 
 optipng    - advanced PNG (Portable Network Graphics) optimizer
Closes: 505399
Changes: 
 optipng (0.6.1.1-1) unstable; urgency=high
 .
   * New upstream release (kindly provided by Cosmin TruĊ£a, fixing only
     the security issue found in version 0.6.1):
     - fix array overflow in the BMP reader (Closes: #505399). This is Secunia
       Advisory SA32651.
   * Fix broken link /usr/share/doc/optipng/changelog.gz.
Checksums-Sha1: 
 09739b6ffc981f08d04479994551831003303854 1037 optipng_0.6.1.1-1.dsc
 e70d6ac0400dd41fc71d7125e70f75efa0be10bc 108428 optipng_0.6.1.1.orig.tar.gz
 ed7129cfee439b7426dfc26431584867850f9e16 3275 optipng_0.6.1.1-1.diff.gz
 a2114ab433bcf221117de362c6f95ff1c3ea3a99 76276 optipng_0.6.1.1-1_i386.deb
Checksums-Sha256: 
 31debcb91d7372fbae9ffbb92680cf1c1cceb991238afa10f1e855b311d88a73 1037 
optipng_0.6.1.1-1.dsc
 ac837556fb617c9e2a570b8b968b505d07ebc1bee46e5314156add922b53b1fa 108428 
optipng_0.6.1.1.orig.tar.gz
 0c6c8195fa770ac7e5f668266e542f0027966026e0451ff6a6234c2f2a980eb0 3275 
optipng_0.6.1.1-1.diff.gz
 4e78f56268dfcbb59647ded41bdeec2c3293889988c0042772af01cb6596d4aa 76276 
optipng_0.6.1.1-1_i386.deb
Files: 
 3cad0afd4e9b96662707756077071e1b 1037 graphics optional optipng_0.6.1.1-1.dsc
 92b94f3c19452ad73efd4a728196e087 108428 graphics optional 
optipng_0.6.1.1.orig.tar.gz
 ec35eb332fbda2027e50e3286bec7c0e 3275 graphics optional 
optipng_0.6.1.1-1.diff.gz
 efccdded681fdf6616dabb6e00f4524c 76276 graphics optional 
optipng_0.6.1.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkbTQoACgkQAQwuptkwlkQO6wCdFgTa3hDy/znW0aECFtF36Wls
4X0AoITf8u7h9YSBH5f0KqzowqQLBS3v
=iOmN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to