Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)
Your message dated Wed, 29 Nov 2023 22:47:14 + with message-id and subject line Bug#838248: fixed in unadf 0.7.11a-5+deb12u1 has caused the Debian Bug report #838248, regarding unadf: CVE-2016-1243 and CVE-2016-1244 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 838248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: unadf Version: 0.7.11a-3 Severity: important Tags: security patch Hi, Tuomas Räsänen discovered the following vulnerabilities for unadf. CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. CVE-2016-1244[1]: execution of unsanitized input The patch is available here: http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243 [1] https://security-tracker.debian.org/tracker/CVE-2016-1244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244 --- End Message --- --- Begin Message --- Source: unadf Source-Version: 0.7.11a-5+deb12u1 Done: Moritz Mühlenhoff We believe that the bug you reported is fixed in the latest version of unadf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 838...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff (supplier of updated unadf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 24 Nov 2023 18:20:14 +0100 Source: unadf Architecture: source Version: 0.7.11a-5+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian QA Group Changed-By: Moritz Mühlenhoff Closes: 838248 Changes: unadf (0.7.11a-5+deb12u1) bookworm; urgency=medium . * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248) Checksums-Sha1: 5aeec93dcc2508fda3a7431a3f28a3def5688a58 1748 unadf_0.7.11a-5+deb12u1.dsc 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz 39cb250466156f0fb3687cd008ca6e8c75bb8563 19960 unadf_0.7.11a-5+deb12u1.debian.tar.xz 22fe4f34f76027f2997b5712033d6abf225618b9 6170 unadf_0.7.11a-5+deb12u1_amd64.buildinfo Checksums-Sha256: 94e154723fc1285468e0e8c09cca748fbe5df60fb85547f3075c283950d1a0fb 1748 unadf_0.7.11a-5+deb12u1.dsc fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz 02113caacff8db80e95ee0cc2a59f31bca93ea6c5bc35cd2a7611d868a7bfd59 19960 unadf_0.7.11a-5+deb12u1.debian.tar.xz 52d9a09ef86a90a06d76725bd37438b7d290fb9ae4e6e06ea4dbf3977dff2ebf 6170 unadf_0.7.11a-5+deb12u1_amd64.buildinfo Files: 402f43967ea1071bbbcb20f0f103ddc5 1748 utils optional unadf_0.7.11a-5+deb12u1.dsc 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz 7b0420b8b50fa829a527b904d011c9fb 19960 utils optional unadf_0.7.11a-5+deb12u1.debian.tar.xz 2e43964eda98da4a9f75a1bcf5924ad0 6170 utils optional unadf_0.7.11a-5+deb12u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVg6ZMACgkQEMKTtsN8 TjZgmA//Yao1k3zkpjxdFLyJo43prXI4F85i1gKrIZ95yr+KSjKpMkpX2R9f7pJZ yYSpXDBTBzX1IF8GrbtbcAqQzYS1VajH+uD7w4QOw3xzyv+2xSbsyA8dLkOEErBG WmOL9v7htvVklD3A8/z0pOgaJrMKX7Jaftiur1w5GuIgiaJB+wMGdgC1S08aHUGR A71C6VeYYB6ypO/aLxY1it/1CVrrb4Mt4N8V5mJKXMYpm6YHXFk6b9WazI387T+T rydS9fwxytq1qK1jt8SQqmn3MjQjG/AM0j/+WTv/x8MR5/ieI/G1cNJWVpkXLJU9 ue0N2jzhUg7HZE8G1xIJKC3PkYM8PhBHetkRQEcjiLRhYgGr50NU58b2mglhpf5P WL2MGpVXkRZzIW6aKLV8FnggDxu1JfN9Q2LxQuh3i9Wc3YpKCRoT2yVlalzyr396 ek2WXkuMyY95pMXa27Ixl/+giHXpXAgoKmVVoxjEu/cDulh8lDTDK3YDgMYVce49 h0b0UzfY6A7uchWyg8XR4wL/FD/VZpZtsT/ns0eMKcfCpWDdMb1hIQMncp9uionz p+0HX0jRs0sTzUWbIXw0BUzTcL1HCtqjxvNn4chk8eWuSrWYfQLAptjj+WOKdAdR Z/pV1rnJmda55iwPI7veQLKno+YYMIkAo6g1uRtnf0u8kdkZDyU= =4cr6 -END PGP SIGNATURE End Message ---
Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)
Your message dated Wed, 22 Nov 2023 22:52:02 + with message-id and subject line Bug#838248: fixed in unadf 0.7.11a-6 has caused the Debian Bug report #838248, regarding unadf: CVE-2016-1243 and CVE-2016-1244 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 838248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: unadf Version: 0.7.11a-3 Severity: important Tags: security patch Hi, Tuomas Räsänen discovered the following vulnerabilities for unadf. CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. CVE-2016-1244[1]: execution of unsanitized input The patch is available here: http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243 [1] https://security-tracker.debian.org/tracker/CVE-2016-1244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244 --- End Message --- --- Begin Message --- Source: unadf Source-Version: 0.7.11a-6 Done: Moritz Muehlenhoff We believe that the bug you reported is fixed in the latest version of unadf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 838...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff (supplier of updated unadf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 22 Nov 2023 19:37:12 +0100 Source: unadf Architecture: source Version: 0.7.11a-6 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Moritz Muehlenhoff Closes: 838248 1053098 Changes: unadf (0.7.11a-6) unstable; urgency=medium . * QA upload. * Really apply security fixes for CVE-2016-1243/CVE-2016-1244, they were not actually applied in the 0.7.11a-4 upload (Closes: #838248, #1053098) Checksums-Sha1: 1d889a1c0201f04bc44faab182cc4ee5671efde7 1716 unadf_0.7.11a-6.dsc 35db18004e25770d24dc042896f23cce29f8a688 20004 unadf_0.7.11a-6.debian.tar.xz a5ce25b15882bbf4a4447c37367f4cf0fbf971d3 6306 unadf_0.7.11a-6_amd64.buildinfo Checksums-Sha256: 12d215cc8632733933b549a698743a9eb5e6f24d2277e4c962481956c4404951 1716 unadf_0.7.11a-6.dsc 4632eec82ed1293ac6c951e5ff9fa3616ad6d9678dc9c5413f711792193e3a25 20004 unadf_0.7.11a-6.debian.tar.xz bfe2061e9c0c1ff9cf6628a7de82a0dde64a61eef004e4efd51e39b59cda09a6 6306 unadf_0.7.11a-6_amd64.buildinfo Files: 225a6e6c9267910c01aa658a5264c44d 1716 utils optional unadf_0.7.11a-6.dsc 48fb7eaa4004a8f00ffc4e3cabdaf928 20004 utils optional unadf_0.7.11a-6.debian.tar.xz 22182c8b4209ce37cc5adf0a30835fbb 6306 utils optional unadf_0.7.11a-6_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVef24ACgkQEMKTtsN8 TjYPXxAAnASb5sZWB9cl8Ad0fn0UOeiPTrpmbeew8XcqwoDgBTG0b7U/DWNky3+L gSU6tV/X2RYqgtzYmuI+xjZDwmxQqjpkN0fH+sD4qoqzwPRb2WrC3KOf5TmAyZ3P 5HJJrZ2qdizj3DyEeROq8H8N1aCClfamd9H4IjMDkc4CsmgPz3rJG+njGdrylTtP 8kgQmOi/BSrGq8PesdINJRNcSFJCS8EwaKBfYVgnfOByha9tq7t5zyYuweYGYjX2 4BFHCsU171RE0GitcZXLgWwruSxyog85/fo2k9ZqN66qeXmBOJRS58uQg+rN/ICg kBx+6kCItUb7D5ljFJ9B5cHIDTa2jZzzkL1hdr8eyzmVusf4aPLFeVjV3yprPRXN B8SM80wA0fC8zhE+xfK/Se4p2dx/DKLxEilcwoIk6lumLNvc0j5p8v6V2vJS4kvz w1GhqXQS8kRkx/zGyW/peuU/SYHZ3Kp60hFYBt2SZ97Kd5L2YatL5/JsLo3Q+BKx 5Rfx7tUbJAm98BCGzHhEMQJIxoWr/hzgp4XIzhRWuAUI8wifpqxXradxEsyEBScG vp6cIUvF7BiVoAAkF9g1zSO5YNoKVCnEXe6XbKTzhlIhJoX3WMm2tDoiS5GtKLZT 5vqUTVjehfiKphlgbxS9F7btadLctHsLQAS7xXzkRo+IlMMvyLU= =bR4r -END PGP SIGNATURE End Message ---
Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)
Your message dated Wed, 22 Nov 2023 22:52:02 + with message-id and subject line Bug#1053098: fixed in unadf 0.7.11a-6 has caused the Debian Bug report #1053098, regarding unadf: CVE-2016-1243 and CVE-2016-1244 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053098 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: unadf Version: 0.7.11a-3 Severity: important Tags: security patch Hi, Tuomas Räsänen discovered the following vulnerabilities for unadf. CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. CVE-2016-1244[1]: execution of unsanitized input The patch is available here: http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243 [1] https://security-tracker.debian.org/tracker/CVE-2016-1244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244 --- End Message --- --- Begin Message --- Source: unadf Source-Version: 0.7.11a-6 Done: Moritz Muehlenhoff We believe that the bug you reported is fixed in the latest version of unadf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff (supplier of updated unadf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 22 Nov 2023 19:37:12 +0100 Source: unadf Architecture: source Version: 0.7.11a-6 Distribution: unstable Urgency: medium Maintainer: Debian QA Group Changed-By: Moritz Muehlenhoff Closes: 838248 1053098 Changes: unadf (0.7.11a-6) unstable; urgency=medium . * QA upload. * Really apply security fixes for CVE-2016-1243/CVE-2016-1244, they were not actually applied in the 0.7.11a-4 upload (Closes: #838248, #1053098) Checksums-Sha1: 1d889a1c0201f04bc44faab182cc4ee5671efde7 1716 unadf_0.7.11a-6.dsc 35db18004e25770d24dc042896f23cce29f8a688 20004 unadf_0.7.11a-6.debian.tar.xz a5ce25b15882bbf4a4447c37367f4cf0fbf971d3 6306 unadf_0.7.11a-6_amd64.buildinfo Checksums-Sha256: 12d215cc8632733933b549a698743a9eb5e6f24d2277e4c962481956c4404951 1716 unadf_0.7.11a-6.dsc 4632eec82ed1293ac6c951e5ff9fa3616ad6d9678dc9c5413f711792193e3a25 20004 unadf_0.7.11a-6.debian.tar.xz bfe2061e9c0c1ff9cf6628a7de82a0dde64a61eef004e4efd51e39b59cda09a6 6306 unadf_0.7.11a-6_amd64.buildinfo Files: 225a6e6c9267910c01aa658a5264c44d 1716 utils optional unadf_0.7.11a-6.dsc 48fb7eaa4004a8f00ffc4e3cabdaf928 20004 utils optional unadf_0.7.11a-6.debian.tar.xz 22182c8b4209ce37cc5adf0a30835fbb 6306 utils optional unadf_0.7.11a-6_amd64.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVef24ACgkQEMKTtsN8 TjYPXxAAnASb5sZWB9cl8Ad0fn0UOeiPTrpmbeew8XcqwoDgBTG0b7U/DWNky3+L gSU6tV/X2RYqgtzYmuI+xjZDwmxQqjpkN0fH+sD4qoqzwPRb2WrC3KOf5TmAyZ3P 5HJJrZ2qdizj3DyEeROq8H8N1aCClfamd9H4IjMDkc4CsmgPz3rJG+njGdrylTtP 8kgQmOi/BSrGq8PesdINJRNcSFJCS8EwaKBfYVgnfOByha9tq7t5zyYuweYGYjX2 4BFHCsU171RE0GitcZXLgWwruSxyog85/fo2k9ZqN66qeXmBOJRS58uQg+rN/ICg kBx+6kCItUb7D5ljFJ9B5cHIDTa2jZzzkL1hdr8eyzmVusf4aPLFeVjV3yprPRXN B8SM80wA0fC8zhE+xfK/Se4p2dx/DKLxEilcwoIk6lumLNvc0j5p8v6V2vJS4kvz w1GhqXQS8kRkx/zGyW/peuU/SYHZ3Kp60hFYBt2SZ97Kd5L2YatL5/JsLo3Q+BKx 5Rfx7tUbJAm98BCGzHhEMQJIxoWr/hzgp4XIzhRWuAUI8wifpqxXradxEsyEBScG vp6cIUvF7BiVoAAkF9g1zSO5YNoKVCnEXe6XbKTzhlIhJoX3WMm2tDoiS5GtKLZT 5vqUTVjehfiKphlgbxS9F7btadLctHsLQAS7xXzkRo+IlMMvyLU= =bR4r -END PGP SIGNATURE End Message ---
Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)
Your message dated Mon, 03 Oct 2016 22:03:46 + with message-id and subject line Bug#838248: fixed in unadf 0.7.11a-3+deb8u1 has caused the Debian Bug report #838248, regarding unadf: CVE-2016-1243 and CVE-2016-1244 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 838248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: unadf Version: 0.7.11a-3 Severity: important Tags: security patch Hi, Tuomas Räsänen discovered the following vulnerabilities for unadf. CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. CVE-2016-1244[1]: execution of unsanitized input The patch is available here: http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243 [1] https://security-tracker.debian.org/tracker/CVE-2016-1244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244 --- End Message --- --- Begin Message --- Source: unadf Source-Version: 0.7.11a-3+deb8u1 We believe that the bug you reported is fixed in the latest version of unadf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 838...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Luciano Bello (supplier of updated unadf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 18 Sep 2016 23:11:18 -0400 Source: unadf Binary: unadf Architecture: source amd64 Version: 0.7.11a-3+deb8u1 Distribution: stable-security Urgency: high Maintainer: Debian QA Group Changed-By: Luciano Bello Description: unadf - Extract files from an Amiga Disk File dump (.adf) Closes: 838248 Changes: unadf (0.7.11a-3+deb8u1) stable-security; urgency=high . * Orphaned package with security issues. * Tuomas Räsäne discoveried two security issues (Closes: #838248): - CVE-2016-1243: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. - CVE-2016-1244: execution of unsanitized input. Checksums-Sha1: a9833a042a8124bfdbe6c305b79b63a419258c96 1723 unadf_0.7.11a-3+deb8u1.dsc 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz d7a189f0824ddc05cbe13dde8ba7280bc0c2ae91 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz 330193a8f503a1666a6294c0bec3c52b298c8f7e 22 unadf_0.7.11a-3+deb8u1_amd64.deb Checksums-Sha256: cdf0531de6b73dfe4ab7f4d9a0886ae4b2565d4f5f5a48fb1db3bf0953c1319b 1723 unadf_0.7.11a-3+deb8u1.dsc fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz 6aa90a89df12f712098d62213eb35c2d4195bfbea389af4936d8a74f6f6b78bc 19368 unadf_0.7.11a-3+deb8u1.debian.tar.xz a30718e98459f6c3b2d292cdf67115dba3f77c26b6e5530c1b244daec20d018d 22 unadf_0.7.11a-3+deb8u1_amd64.deb Files: 09671a48add8e2d1998572c1f28fd258 1723 utils optional unadf_0.7.11a-3+deb8u1.dsc 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz 01bc54dc8cce49609bf509dfd6182ded 19368 utils optional unadf_0.7.11a-3+deb8u1.debian.tar.xz 388dd0e716d5bb36096a1217609b38dd 22 utils optional unadf_0.7.11a-3+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJX5shEAAoJEG7C3vaP/jd0VVMQAI3I7PjzwtpBxz8iGaIYCkHq 1JwEQGcO8QsEdekVfb8aWVan2xOIBw0rfgA3HHa8l8EwA6EInAdNOBhF/TxwMo5P 5myXhOyMj5LBsgT+7V4BRaoH9wM4TEP/K6EW5hpd1RHiZWdUni2B0zijelz8pzcf VtwiVIZCkdblWIjqnxeeU1rQNvUBXkVU1/EDOZlg/ePzySQSXFDFT5JVkbbPGAVW EMIJC6j5GeN06bFi6fN7wZlK3kVTzmrgBNQZitMHuMC9Cjdah5RzPmh/vyU6Za+v alzvkLDNdn6R4J2sgtf3Eg5ol6FNjGKZDIbd5PfI/q3KWj1R+wWA/01DRur3yP+Y c+cQi+4SpXlXOYYSnOC2x9qJvAt47T5lXfaPXQ2q00wPckch3nUegxn0qCUExS+U Bnx+6fngdqVdCQGmJjo4qEcDQEdhUFEYURis0E3VLQP8afk+slu8xaFeWAS2APMg umYCLRhmqENh4UvbXDeyaluqG/P2/yAqpFb4/sGJZZIPsM1reaIltSMc0S6eSpSl kTkQmk1eyP46ixbgCKF5rHvu9vL316Q6twBNRlG4SYj14O/HJM0filbNJN9MJvfN 3Ae
Bug#838248: marked as done (unadf: CVE-2016-1243 and CVE-2016-1244)
Your message dated Sat, 24 Sep 2016 20:14:15 + with message-id and subject line Bug#838248: fixed in unadf 0.7.11a-4 has caused the Debian Bug report #838248, regarding unadf: CVE-2016-1243 and CVE-2016-1244 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 838248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: unadf Version: 0.7.11a-3 Severity: important Tags: security patch Hi, Tuomas Räsänen discovered the following vulnerabilities for unadf. CVE-2016-1243[0]: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. CVE-2016-1244[1]: execution of unsanitized input The patch is available here: http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-1243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1243 [1] https://security-tracker.debian.org/tracker/CVE-2016-1244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1244 --- End Message --- --- Begin Message --- Source: unadf Source-Version: 0.7.11a-4 We believe that the bug you reported is fixed in the latest version of unadf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 838...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Luciano Bello (supplier of updated unadf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 24 Sep 2016 11:43:06 -0400 Source: unadf Binary: unadf Architecture: source amd64 Version: 0.7.11a-4 Distribution: unstable Urgency: high Maintainer: Debian QA Group Changed-By: Luciano Bello Description: unadf - Extract files from an Amiga Disk File dump (.adf) Closes: 838248 Changes: unadf (0.7.11a-4) unstable; urgency=high . * Orphan package with security issues. * Tuomas Räsänene discoveried two security issues (Closes: #838248): - CVE-2016-1243: stack buffer overflow caused by blindly trusting on pathname lengths of archived files. - CVE-2016-1244: execution of unsanitized input. * Standards-Version: 3.9.8 Checksums-Sha1: 1ca4a450211d82969428bb13925a7aac4ffb5be4 1695 unadf_0.7.11a-4.dsc 15a18d20546e0bbde7a9578987897da87ecaa9b8 17924 unadf_0.7.11a-4.debian.tar.xz 67608a6e5488bee556cdf127bda5dbce8d0dd41b 71318 unadf-dbgsym_0.7.11a-4_amd64.deb 5505b8917f7cd2c19d040bbcb76e1fefd369f8af 111052 unadf_0.7.11a-4_amd64.deb Checksums-Sha256: 925bce8be8fd58e30b24f1bdbe6b295e70fa7a1516d77f87ddadd6fe5f99f047 1695 unadf_0.7.11a-4.dsc ff8873027d330cf3f87876149bd00fe737e0e9885debdda44ce6e3d27257eca3 17924 unadf_0.7.11a-4.debian.tar.xz cbc5cca895055beddc23413363cbb4be10ff040f728f611cb377875057f92115 71318 unadf-dbgsym_0.7.11a-4_amd64.deb a28f29a4854fea1738f3f2faf1587fd4a966afdbbc04a26f9050bb40cafd85df 111052 unadf_0.7.11a-4_amd64.deb Files: 1ec6937000c5283fdbc33be85e4f6084 1695 utils optional unadf_0.7.11a-4.dsc 042fd96d51e94e880e88f3adfbb01c03 17924 utils optional unadf_0.7.11a-4.debian.tar.xz 235bb4a1c9bba4bcc7f4343567c29d6a 71318 debug extra unadf-dbgsym_0.7.11a-4_amd64.deb 451348e43e3777bd8a3ab5bd19d534ec 111052 utils optional unadf_0.7.11a-4_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJX5sW1AAoJEG7C3vaP/jd0iqIP/1eRKv65uXJrbhjag032SZA7 3ZYps+eco77DaqeJgkTKalE+c1F8JA4kSU0x05JpPz9uthrDyJqb2tAMlAdnoQBW B+G/mTB0xtKP3uRR4aNm0L22WrA9t3oMGVcsIcAGW/ZbER+8dE6HZIw/vcrG5qQl zxotWfSHl+8+HI5gFO367Z6547Xe1qtXaBVbAFGt/0fRGaq5Y93tiNHk7KoEWoGm oUKg4vTWAr/vdHKOwUeRcFi8jY9O/PShfK4Kb5MJMyO28yczBq2vOHQTM83bGWOk yN0EtRveIVv4d15c/8P2nzfzJ006srACIPL+d5pcmF+kaA3jTDt+vwdjZLg5kOFs 3DbCxKbWu1mxebg1nXjHj1sHCMkJophAujlj4pjT2TuMi/e0gpjemAAit67EBrwL EXxESn5z8+q+AxH1d64VeIvasxl8NZ+ReLjHuIWf8UgyGaMeoDoJ5fc19rqk7O8g 5gYxdJM29cYjx+CMIzUHDltZWMaM/j5Q51C7ZeIZmz1P3YhvBk9PS8W/kKz/I6iZ g8MFZZbyaP5wn9cfRFwsP0pqJFtXWAMpPjGaame7/g7h13aBLvbDol1QVte4BxwB sQu/7ppFEc+mqUrwfskc7lBaFqCLtkj3m2bsJykZzPlnqhrZt7/HOTk7sEM5NGd5