Your message dated Sat, 27 Jun 2009 16:04:21 +0000
with message-id <e1mkao5-00011w...@ries.debian.org>
and subject line Bug#530255: fixed in ctorrent 1.3.4-dnh3.2-1+lenny1
has caused the Debian Bug report #530255,
regarding CVE-2009-1759: Stack-based buffer overflow in the
btFiles::BuildFromMI function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
530255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530255
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ctorrent
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ctorrent.
CVE-2009-1759[0]:
| Stack-based buffer overflow in the btFiles::BuildFromMI function
| (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and
| probably earlier, and CTorrent 1.3.4, allows remote attackers to cause
| a denial of service (crash) and possibly execute arbitrary code via a
| Torrent file containing a long path.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1759
http://security-tracker.debian.net/tracker/CVE-2009-1759
Patch:
http://dtorrent.svn.sourceforge.net/viewvc/dtorrent/dtorrent/trunk/btfiles.cpp?r1=296&r2=301&view=patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoX4iQACgkQNxpp46476apQSACfZnMhb5D7ovIaEjkDgY+PmMN9
yqsAoJ+5IkruLzc09YpQg0lWXQ30RGiz
=hnC5
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: ctorrent
Source-Version: 1.3.4-dnh3.2-1+lenny1
We believe that the bug you reported is fixed in the latest version of
ctorrent, which is due to be installed in the Debian FTP archive:
ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
to pool/main/c/ctorrent/ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated ctorrent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Jun 2009 00:59:49 +0200
Source: ctorrent
Binary: ctorrent
Architecture: source amd64
Version: 1.3.4-dnh3.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andrea Veri <bluek...@ubuntu.com>
Changed-By: Nico Golde <n...@debian.org>
Description:
ctorrent - BitTorrent Client written in C++
Closes: 530255
Changes:
ctorrent (1.3.4-dnh3.2-1+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow via crafted path names
in torrent files (CVE-2009-1759; Closes: #530255).
Checksums-Sha1:
fd3cf3b174854d5c1bc770a1c766f33e90a3efe1 1132
ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
dc52b089bf0820a34443a78376655e1c1a2d9080 201651
ctorrent_1.3.4-dnh3.2.orig.tar.gz
67c8f82768e893392469310315114d60274b88a1 6427
ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
bbb3ba6515c8b63ee06c91f0dfa93a9356f97ae3 112618
ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
Checksums-Sha256:
321f2102a1feef46462217b369914de4827d1b1c569a12e8d7baadef94a97765 1132
ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
a23074c76dead123c24f16b09910fe43c5537da250637de2c85a6807eada8ff6 201651
ctorrent_1.3.4-dnh3.2.orig.tar.gz
8e9177cac15b335376790a662fb21a117ce19389e663dc8f6ae9707fa126db32 6427
ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
bd6e87f0a78b9b0ec7ac449eadbcf2ceec010f9d0766c9f0d343ac5c17f9016a 112618
ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
Files:
2159a81d35c934811cc4b65a5d51c63e 1132 net extra
ctorrent_1.3.4-dnh3.2-1+lenny1.dsc
8c4605ea3a1f6d09da593c25b5ab7dbd 201651 net extra
ctorrent_1.3.4-dnh3.2.orig.tar.gz
a8eb130df614638863d1de39f80aeb3c 6427 net extra
ctorrent_1.3.4-dnh3.2-1+lenny1.diff.gz
34ca707d68325c7b3939338d0b0ca7c2 112618 net extra
ctorrent_1.3.4-dnh3.2-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAko47CMACgkQHYflSXNkfP9EkQCgsWkj1SHpdkxrJ9vPrXrGQAdl
RckAnieMb04gvKWqRStATkrLHs+Y1bqQ
=s84w
-----END PGP SIGNATURE-----
--- End Message ---
