Your message dated Fri, 31 Aug 2012 04:32:41 +0000
with message-id <[email protected]>
and subject line Bug#685888: fixed in pidgin-latex 1.4.4-2
has caused the Debian Bug report #685888,
regarding pidgin-latex: security issue in pidgin-latex
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
685888: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685888
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pidgin-latex
Version: 1.4.4-1
Severity: normal
Tags: upstream
Serious Security issue, where it was possible to get into makeatletter-mode,
although it was blacklisted, giving any attacker able to send a message
over a messenger network to a user effective access to that user's
local system account.
The root cause of the problem is insufficient validation of LaTeX code
in the function 'gboolean is_blacklisted' in LaTeX.c in pidgin-latex.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=es_PE.UTF-8, LC_CTYPE=es_PE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pidgin-latex depends on:
ii dvipng 1.14-1+b1
ii libc6 2.13-30
ii libglib2.0-0 2.32.0-4
ii libpurple0 2.10.6-1
ii pidgin 2.10.6-1
ii texlive-latex-base 2012.20120611-3
pidgin-latex recommends no packages.
pidgin-latex suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: pidgin-latex
Source-Version: 1.4.4-2
We believe that the bug you reported is fixed in the latest version of
pidgin-latex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Elías Alejandro Año Mendoza <[email protected]> (supplier of updated
pidgin-latex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 Aug 2012 20:39:08 -0500
Source: pidgin-latex
Binary: pidgin-latex
Architecture: source amd64
Version: 1.4.4-2
Distribution: unstable
Urgency: low
Maintainer: Elías Alejandro Año Mendoza <[email protected]>
Changed-By: Elías Alejandro Año Mendoza <[email protected]>
Description:
pidgin-latex - Pidgin plugin to display LaTeX formulas
Closes: 685888
Changes:
pidgin-latex (1.4.4-2) unstable; urgency=low
.
* debian/patches/01_security_issue.patch: Added. (Closes: #685888)
+ This fix insufficient validation of LaTeX code and avoid
access to user local information.
Checksums-Sha1:
200011480cceb26f05de41730bee30d94350bf28 1788 pidgin-latex_1.4.4-2.dsc
d2e9f0422760a802ba8c3c6f699b045c7658ebcf 2775
pidgin-latex_1.4.4-2.debian.tar.gz
f5896265780843d1c958d041867c9547b2dcf9b1 13298 pidgin-latex_1.4.4-2_amd64.deb
Checksums-Sha256:
551e032739ba1deb1aa8aa93258f02568e2032f261441c4bbb01e72d707b4832 1788
pidgin-latex_1.4.4-2.dsc
54be25d6f88d76b7d5f6a18687397e8df6237f54d03fb803ba28405413962422 2775
pidgin-latex_1.4.4-2.debian.tar.gz
cd6724aa6b8b6ccd61d4ac9af3d2fe251962f619caede70ef2866f19ffc68bd1 13298
pidgin-latex_1.4.4-2_amd64.deb
Files:
aef873656280cf63c196c1c43924e636 1788 net optional pidgin-latex_1.4.4-2.dsc
dec83834d4d2781765bb19dfde1df757 2775 net optional
pidgin-latex_1.4.4-2.debian.tar.gz
10395d8ecc74dda91ef64c4e940b47e1 13298 net optional
pidgin-latex_1.4.4-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJQQDt0AAoJEDNV9NY7WCHMa7YQAIHZR6SNu5j9mG4q3bYy9cED
jwZfVMsX45EV+jG6oEAjPYiZOgFyCfygiHsUWzgpTAEjrQEnMuEM8mcrUPqZJfJQ
mxk7soKW8vP2H4aCu9YBR+n9v7qax5lz2UaYe85SriLxuOxpbbhGGgypZUKdxdE8
w052400P4HJSh9X8kY4rVBaDs4PJxdRxLX1hx6nG4mc4iRSirWp4KPPFZUXYyteS
HN4MWPv8rkw6heiCcF3zfgTChf9dujr6Jfr62fQuKHz7nt9NmHujCrfZy0OUw1Qc
nPDDYIypmUWFj3EVsReGPXsf+ocNvhyBQoFMwd+qBnvhvDeqS4T/R4D/dFWcMuhk
nb687pLlFkwOi1OFIs59WlD+tQ7TIFHtx/vvw860/Jgd+F2TozXIiyfrYu6JvQfs
+H7xb0bhUuf9CKKD4TfnI2zAjwqeukBv0ozX7sjXhUxgmiSY9K0i3nH8Y1b5NN2U
LOyhjhwwmBiyv+VExxMCskEZaYqLmFEBJHYE0W9nt0f4wzB3Dp7VlTnSONUXMvKz
IT8cQ8lghs53OdXoXs0bhNi2vLShvxGAE7uq9N2qjJEwvdj2fs2Z7fgy7XiaDKmD
0z5Rq86V6+yR4hSR5lX/YEufjd7hG5RWrUNUd5KqUw8/q5dLyjxG/phQK7LRPxSj
dDotWJNCJTmOVp4NpkEE
=foGw
-----END PGP SIGNATURE-----
--- End Message ---