Your message dated Mon, 12 Nov 2007 05:17:36 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#449222: fixed in cpio 2.9-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cpio
Version: 2.9-4
Severity: important
Tags: security
Hi
The following CVE[0] was issued for tar, but it seems that cpio is also
affected.
CVE-2007-4476:
Buffer overflow in the safer_name_suffix function in GNU tar has
unspecified attack vectors and impact, resulting in a "crashing stack."
You can find a patch in the tar bugreport[1]. The code in question can
be found in lib/paxnames.c .
When you fix this, please mention the CVE id in your changelog.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476
[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441444
--- End Message ---
--- Begin Message ---
Source: cpio
Source-Version: 2.9-5
We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive:
cpio_2.9-5.diff.gz
to pool/main/c/cpio/cpio_2.9-5.diff.gz
cpio_2.9-5.dsc
to pool/main/c/cpio/cpio_2.9-5.dsc
cpio_2.9-5_i386.deb
to pool/main/c/cpio/cpio_2.9-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Clint Adams <[EMAIL PROTECTED]> (supplier of updated cpio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 05 Nov 2007 18:05:02 -0500
Source: cpio
Binary: cpio
Architecture: source i386
Version: 2.9-5
Distribution: unstable
Urgency: high
Maintainer: Clint Adams <[EMAIL PROTECTED]>
Changed-By: Clint Adams <[EMAIL PROTECTED]>
Description:
cpio - GNU cpio -- a program to manage archives of files
Closes: 449222
Changes:
cpio (2.9-5) unstable; urgency=high
.
* Apply patch from paxutils to fix a bug which may lead to a "crashing
stack" [CVE-2007-4476]. closes: #449222.
Files:
986f673bcd896d75935ac928bac2f600 672 utils important cpio_2.9-5.dsc
15107c724b16d5222686dfb263a88a71 20932 utils important cpio_2.9-5.diff.gz
f0792b870e5fdd6e83ce2fa91354fc17 186620 utils important cpio_2.9-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Debian!
iD8DBQFHL6UI5m0u66uWM3ARAkUQAKDBOGKO2DHxis3+9amraJVKNL5ChACgxu8S
8CiirjfqfHYfO/T2WfHTiV4=
=LpKU
-----END PGP SIGNATURE-----
--- End Message ---
