Your message dated Mon, 03 Oct 2005 14:44:45 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#325122: gcvs: Vulnerable code in use
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Aug 2005 09:22:20 +0000
>From [EMAIL PROTECTED] Fri Aug 26 02:22:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.pooles.rima-tde.net (javifsp.no-ip.org)
[213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E8aPk-0005kk-00; Fri, 26 Aug 2005 02:22:20 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
id 1E8aPi-0002Yx-G9
for [EMAIL PROTECTED]; Fri, 26 Aug 2005 11:22:18 +0200
Date: Fri, 26 Aug 2005 11:22:18 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: gcvs: Vulnerable code in use
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: gcvs
Severity: normal
Tags: security
Gcvs, since it uses the CVS sources, is missing patches for some security
issues, such as CAN-2005-0753. Even though the program itself might not
be vulnerable to the remote buffer overflow it might be appropiate to fix
them since the fixes include some NULL pointer dereferences and such that
might lead to core dumps. That's why I'm listing this bug as normal and not
of higher priority.
In view of this, the following claim in the debian/control is not be true:
- Uses the latest CVS source code
At the same time, you might want to consider the recommendations I made=20
in #325109, quoting from there:
"OWL, a security oriented distribution, ships a number of patches for CVS
that might be interesting to review and apply, if they do apply, check out
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/cvs/2
Regards
Javier
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0753
--5vNYLRcllDrimb99
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDt9KsandgtyBSwkRAt6lAJ9TwURN1Sq7V1jtD8zjBvH2smgdFACdGqxS
6hyanR7GPAKprlyIPrNy3EU=
=MSnI
-----END PGP SIGNATURE-----
--5vNYLRcllDrimb99--
---------------------------------------
Received: (at 325122-done) by bugs.debian.org; 3 Oct 2005 12:44:53 +0000
>From [EMAIL PROTECTED] Mon Oct 03 05:44:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail-out.m-online.net [212.18.0.9]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EMPgb-0002K5-00; Mon, 03 Oct 2005 05:44:53 -0700
Received: from mail.m-online.net (svr20.m-online.net [192.168.3.148])
by mail-out.m-online.net (Postfix) with ESMTP id 643EF7040C
for <[EMAIL PROTECTED]>; Mon, 3 Oct 2005 14:44:22 +0200 (CEST)
Received: from atari.stigge.org (ppp-82-135-1-58.mnet-online.de [82.135.1.58])
by mail.m-online.net (Postfix) with ESMTP id 8B16C108FB1
for <[EMAIL PROTECTED]>; Mon, 3 Oct 2005 14:44:49 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
by atari.stigge.org (Postfix) with ESMTP id CFAFF100B941F
for <[EMAIL PROTECTED]>; Mon, 3 Oct 2005 14:44:47 +0200 (CEST)
Message-ID: <[EMAIL PROTECTED]>
Date: Mon, 03 Oct 2005 14:44:45 +0200
From: Roland Stigge <[EMAIL PROTECTED]>
User-Agent: Debian Thunderbird 1.0.7 (X11/20051001)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Re: Bug#325122: gcvs: Vulnerable code in use
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Hi,
Roland Stigge wrote:
> I changed the control file note. :)
>
> But CAN-2005-0753 and the OWL fixes (for CAN-2004-0414,
> CAN-2004-0416, CAN-2004-0417, CAN-2004-0418) all seem to be server and
> remote related. cvs in gcvs is just used client side, so maybe we can
> ignore this?
>
> Otherwise, please point be to the respective issues that are really
> important here.
Since I got no reply for >1 month, I consider the issue as handled
appropriately and am closing the bug for now. Feel free to reopen if you
have an appropriate answer to the above question.
Thanks.
bye,
Roland
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
