Your message dated Tue, 23 Jan 2007 17:17:11 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#407369: fixed in xine-ui 0.99.4+dfsg+cvs20061111-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xine-ui
Severity: normal
Good day,
My understanding is that this CVE Candidate is buggy, but in case I have
missed something I prefer to let you know, just closed the bug if you
agree with me.
>From CVE-2007-0254 :
| Name: CVE-2007-0254
| Status: Candidate
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
| Phase: Assigned (20070116)
| Category:
| Reference: BUGTRAQ:20070111 Xine-ui format string Vulnerabilties.
| Reference:
URL:http://www.securityfocus.com/archive/1/archive/1/456590/100/0/threaded
| Reference: BID:22002
| Reference: URL:http://www.securityfocus.com/bid/22002
|
| Format string vulnerability in the errors_create_window function in
| errors.c in xine-ui allows attackers to execute arbitrary code via
| unknown vectors.
I take a look at the errors_create_window function in errors.c, the
vulnerable code seems to be on line 67 :
| xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
| _("Done"), _("More..."),
| NULL, _errors_display_log,
| NULL, 400, ALIGN_CENTER,
| "%s", message);
xitk_window_dialog_two_buttons_with_width() is a macro function defined on
line 2323 in src/xitk/xine-toolkit/xitk.h, this macro called
xitk_window_dialog_checkbox_two_buttons_with_width() which is a function
defined on line 1108 in src/xitk/xine-toolkit/window.c. In this
function we have :
(message is the format, ang args is the message from the previous
function)
va_list args;
char *buf;
int n, size = 100;
if((buf = xitk_xmalloc(size)) == NULL)
return NULL;
while(1) {
va_start(args, message);
n = vsnprintf(buf, size, message, args);
va_end(args);
if(n > -1 && n < size)
break;
if(n > -1)
size = n + 1;
else
size *= 2;
if((buf = realloc(buf, size)) == NULL)
return NULL;
}
I failed to see where the format string vulnerability is, my
understanding is that vsnprintf will never overrun buf, but maybe I have
missed something...
Thanks for your time.
Regards.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Source: xine-ui
Source-Version: 0.99.4+dfsg+cvs20061111-2
We believe that the bug you reported is fixed in the latest version of
xine-ui, which is due to be installed in the Debian FTP archive:
xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[EMAIL PROTECTED]> (supplier of updated xine-ui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 23 Jan 2007 15:23:06 +0100
Source: xine-ui
Binary: xine-ui
Architecture: source i386
Version: 0.99.4+dfsg+cvs20061111-2
Distribution: unstable
Urgency: medium
Maintainer: Siggi Langauf <[EMAIL PROTECTED]>
Changed-By: Reinhard Tartler <[EMAIL PROTECTED]>
Description:
xine-ui - the xine video player, user interface
Closes: 407369
Changes:
xine-ui (0.99.4+dfsg+cvs20061111-2) unstable; urgency=medium
.
* imported patch from xine-ui CVS for CVE-2007-0254: fix format string
vulnerability. (Closes: #407369)
Files:
983122cd16969d5eb2383b1b8c6eb32b 1173 graphics optional
xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
1213a1f5d8c6a76747de40c8e8b6e944 11395 graphics optional
xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
4784694333b675564439f751a7cfd65a 1512310 graphics optional
xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Debian Powered!
iD8DBQFFtkAKmAg1RJRTSKQRAn6PAJ9acSOqLRE6/5tD3swxMElQq6CO/QCdHwFk
7fVXfAVd8jnIxqgcdOh4tz0=
=DgUS
-----END PGP SIGNATURE-----
--- End Message ---
