Your message dated Sat, 31 May 2008 14:02:02 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#483816: fixed in imlib2 1.4.0-1.1 has caused the Debian Bug report #483816, regarding imlib2: CVE-2008-2426 buffer overflows in xpm and pnm loader to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 483816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483816 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: libimlib2 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for libimlib2. CVE-2008-2426[0]: | Secunia Research has discovered two vulnerabilities in imlib2, which | can be exploited by malicious people to cause a DoS (Denial of | Service) or compromise an application using the library. | | 1) A boundary error exists within the "load()" function in | src/modules/loaders/loader_pnm.c when processing the header of a | PNM image file. This can be exploited to cause a stack-based buffer | overflow by e.g. tricking a user into opening a specially crafted | PNM image in an application using the imlib2 library. | | Successful exploitation allows execution of arbitrary code. | | 2) A boundary error exists within the "load()" function in | src/modules/loader_xpm.c when processing an XPM image file. This can | be exploited to cause a stack-based buffer overflow by e.g. tricking | a user into opening a specially crafted XPM image with an application | using the imlib2 library. Patches: https://bugzilla.redhat.com/attachment.cgi?id=307178 https://bugzilla.redhat.com/attachment.cgi?id=307177 If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2426 http://security-tracker.debian.net/tracker/CVE-2008-2426 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpE2OyG4vOxU.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: imlib2 Source-Version: 1.4.0-1.1 We believe that the bug you reported is fixed in the latest version of imlib2, which is due to be installed in the Debian FTP archive: imlib2_1.4.0-1.1.diff.gz to pool/main/i/imlib2/imlib2_1.4.0-1.1.diff.gz imlib2_1.4.0-1.1.dsc to pool/main/i/imlib2/imlib2_1.4.0-1.1.dsc libimlib2-dev_1.4.0-1.1_amd64.deb to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.1_amd64.deb libimlib2_1.4.0-1.1_amd64.deb to pool/main/i/imlib2/libimlib2_1.4.0-1.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[EMAIL PROTECTED]> (supplier of updated imlib2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 31 May 2008 14:14:50 +0200 Source: imlib2 Binary: libimlib2 libimlib2-dev Architecture: source amd64 Version: 1.4.0-1.1 Distribution: unstable Urgency: high Maintainer: Laurence J. Lane <[EMAIL PROTECTED]> Changed-By: Nico Golde <[EMAIL PROTECTED]> Description: libimlib2 - powerful image loading and rendering library libimlib2-dev - Imlib2 development files Closes: 483816 Changes: imlib2 (1.4.0-1.1) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix stack-based buffer overflow in pnm and xpm image loader modules leading to arbitrary code execution (CVE-2008-2426; Closes: #483816). Checksums-Sha1: d2309a8de116c0c280667fb069113359809b0f54 1118 imlib2_1.4.0-1.1.dsc 2657e5b2c7bba91763e2049d05ceeb39a357de91 56178 imlib2_1.4.0-1.1.diff.gz 37fec85132ad667a5f283b7a31481ee1f9f7be81 212816 libimlib2_1.4.0-1.1_amd64.deb 15adcd00cbe4d379a1959c82195172555f1ef774 365402 libimlib2-dev_1.4.0-1.1_amd64.deb Checksums-Sha256: 6d1ea007c2912e7c21660e1450421d0cbe6574799cd8c8fceb947eebd65cb0e1 1118 imlib2_1.4.0-1.1.dsc 86a1e22868b21050fd6cceca04fb7fa7652983205cea9b552188fb0a970b8dac 56178 imlib2_1.4.0-1.1.diff.gz 568af174670db60f5f26d1180a94085ed65cc393833b78ce4b767ac06347ca17 212816 libimlib2_1.4.0-1.1_amd64.deb 157714bd88cd60c9cadec1be2a9a814bc7766448991810d10789bbd684994482 365402 libimlib2-dev_1.4.0-1.1_amd64.deb Files: 5c6377c69f66ede6299faf9258cfc13b 1118 libs optional imlib2_1.4.0-1.1.dsc 3e247df7b87409d012e2458f748f5384 56178 libs optional imlib2_1.4.0-1.1.diff.gz 81d1332e0c1047e91a2c80c39bf629e7 212816 libs optional libimlib2_1.4.0-1.1_amd64.deb 2033c2107302c7a22e3d062240f42867 365402 libdevel optional libimlib2-dev_1.4.0-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIQVa6HYflSXNkfP8RAgSaAJ4s+eVmfzrdOD+10FNVbuaLqa68KACfdB9V 3BpoLtRM0aEXpY45sTJqLME= =63i6 -----END PGP SIGNATURE-----
--- End Message ---