Bug#354662: marked as done (scrot: format string vulnerabilities?)

Wed, 28 Oct 2009 10:39:03 -0700 

Your message dated Tue, 27 Oct 2009 21:15:21 +0000
with message-id <[email protected]>
and subject line Bug#354662: fixed in scrot 0.8-11
has caused the Debian Bug report #354662,
regarding scrot: format string vulnerabilities?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
354662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: scrot
Version: 0.8-7
Severity: normal

Steps to reproduce:
1) scrot foo`perl -e 'print "\\$w" x 3900;'`.png

Expected results:
1) scrot should either take a screenshot to a file or fail to create
the file because filename is too long.

Actual results:
1) scrot segfaults, apparently because it uses strcat() without
checking for buffer overflows. I'm not sure but I think this can be
used to execute arbitrary code.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29sauna
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)

Versions of packages scrot depends on:
ii  giblib1                   1.2.4-2        wrapper library for imlib2, and ot
ii  libc6                     2.3.6-2        GNU C Library: Shared libraries an
ii  libfreetype6              2.1.10-1       FreeType 2 font engine, shared lib
ii  libimlib2                 1.2.1-2        powerful image loading and renderi
ii  libx11-6                  6.9.0.dfsg.1-4 X Window System protocol client li
ii  libxext6                  6.9.0.dfsg.1-4 X Window System miscellaneous exte
ii  zlib1g                    1:1.2.3-9      compression library - runtime

scrot recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: scrot
Source-Version: 0.8-11

We believe that the bug you reported is fixed in the latest version of
scrot, which is due to be installed in the Debian FTP archive:

scrot_0.8-11.diff.gz
  to main/s/scrot/scrot_0.8-11.diff.gz
scrot_0.8-11.dsc
  to main/s/scrot/scrot_0.8-11.dsc
scrot_0.8-11_i386.deb
  to main/s/scrot/scrot_0.8-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
William Vera <[email protected]> (supplier of updated scrot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 25 Oct 2009 19:48:21 -0600
Source: scrot
Binary: scrot
Architecture: source i386
Version: 0.8-11
Distribution: unstable
Urgency: low
Maintainer: William Vera <[email protected]>
Changed-By: William Vera <[email protected]>
Description: 
 scrot      - command line screen capture utility
Closes: 354662 547486 549123
Changes: 
 scrot (0.8-11) unstable; urgency=low
 .
   * Changed the Homepage field on control file (Closes: #547486).
   * Updated Standards Version to 3.8.1.
   * Added a patch to improve spacing in manual page (Closes: #549123).
   * Added a README.source (dpatch).
   * Added a patch to prevent arbitrary long file names (Closes: #354662).
Checksums-Sha1: 
 cc71c8af1543c3367eac365eeeca5b321345b2a2 1661 scrot_0.8-11.dsc
 5fbc7e4885123c09da923311b1416b3ce5b21fbe 7848 scrot_0.8-11.diff.gz
 ef13efba8ae352aa031881c1ea5ed2b396032502 17660 scrot_0.8-11_i386.deb
Checksums-Sha256: 
 028134cf7f48a73a31ddabe267acc4d98458d2270a6369a2ccf5559c8f0bc520 1661 
scrot_0.8-11.dsc
 3632b131f09839358b0b17ca78f7e18ae6fe43c0787958383d7ee1eba7f5b290 7848 
scrot_0.8-11.diff.gz
 13a30a5a6308e45134ee3a70e2e5ef89d13b1e10b89b83d324a1198f178b3b0b 17660 
scrot_0.8-11_i386.deb
Files: 
 589f0f59e677d45333b737e366abec00 1661 graphics optional scrot_0.8-11.dsc
 55a8efbed3f5f8117521d2658306bd63 7848 graphics optional scrot_0.8-11.diff.gz
 fb592334306a7537f1e80927e126c847 17660 graphics optional scrot_0.8-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJK5pIoAAoJEBxXDIkOS9CrD5kP/itrNF3KtcPy6oZNHshqTLba
MyEChjEpdg7b5f81dsM3mnGVpBWRKjHSAW+3074yiZasu9/yaInWCsd/0sAmV+w+
tzqJy0Dw9o4TJmW7tfAYZ5dnsqO0el+eaVaw8TIV9gLtv4fFvBCfnX9ChGnILpQ2
JcU26IpCY80aPjGpUYhPTHEbDMDtX+ySBWQk8FywgP6QSWsdsNwVRdp0YYP/XmnR
Oo2OTuVT1YsAROnzgkl6+KHfrm3E8AA0Qg/+Xl0ODVdr6yUqhYc+me+9iudRIFqQ
xqZNe+rb3NSDggQaMaOCIpyrqAgagXkUx4QphVDUITqLsdvrdk9Kh3AJ/q9MuCB5
BaJns2+9z0l2dya3u1eAr7RfSzldxrNvWS+tZHvwtU9ZcMY5zUWPRP/eLW0mW/lm
ccNz+XuJiScfiVdxzHQL2itfTeI/3Bci+fS9QrzRc1aULi+d87vnO+1vVd8RCXlZ
3K107WdEoFwoJkeH20ajdLUE0MIcLLRMxxCwNG6lyWgyexZAmAs6bDCKBCqMkedt
fEa882S9IxLZzkjscRopawB+slV3ByLHOggUwiR5T2gDrX7YJP0E2WckT+ynwXlV
wjlbCZ39Kn1UXfs4jsgChhCGEaKll8ryWkUMq34157LBFHCjo/EI3NAvNU7RTfT/
MSFP+Gw4csynkx75RJna
=M49F
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to