Your message dated Sat, 31 May 2008 14:02:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#483816: fixed in imlib2 1.4.0-1.1
has caused the Debian Bug report #483816,
regarding imlib2: CVE-2008-2426 buffer overflows in xpm and pnm loader
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
483816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483816
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libimlib2
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libimlib2.
CVE-2008-2426[0]:
| Secunia Research has discovered two vulnerabilities in imlib2, which
| can be exploited by malicious people to cause a DoS (Denial of
| Service) or compromise an application using the library.
|
| 1) A boundary error exists within the "load()" function in
| src/modules/loaders/loader_pnm.c when processing the header of a
| PNM image file. This can be exploited to cause a stack-based buffer
| overflow by e.g. tricking a user into opening a specially crafted
| PNM image in an application using the imlib2 library.
|
| Successful exploitation allows execution of arbitrary code.
|
| 2) A boundary error exists within the "load()" function in
| src/modules/loader_xpm.c when processing an XPM image file. This can
| be exploited to cause a stack-based buffer overflow by e.g. tricking
| a user into opening a specially crafted XPM image with an application
| using the imlib2 library.
Patches:
https://bugzilla.redhat.com/attachment.cgi?id=307178
https://bugzilla.redhat.com/attachment.cgi?id=307177
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2426
http://security-tracker.debian.net/tracker/CVE-2008-2426
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpE2OyG4vOxU.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: imlib2
Source-Version: 1.4.0-1.1
We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:
imlib2_1.4.0-1.1.diff.gz
to pool/main/i/imlib2/imlib2_1.4.0-1.1.diff.gz
imlib2_1.4.0-1.1.dsc
to pool/main/i/imlib2/imlib2_1.4.0-1.1.dsc
libimlib2-dev_1.4.0-1.1_amd64.deb
to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.1_amd64.deb
libimlib2_1.4.0-1.1_amd64.deb
to pool/main/i/imlib2/libimlib2_1.4.0-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated imlib2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 31 May 2008 14:14:50 +0200
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libimlib2 - powerful image loading and rendering library
libimlib2-dev - Imlib2 development files
Closes: 483816
Changes:
imlib2 (1.4.0-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix stack-based buffer overflow in pnm and xpm image loader modules
leading to arbitrary code execution (CVE-2008-2426; Closes: #483816).
Checksums-Sha1:
d2309a8de116c0c280667fb069113359809b0f54 1118 imlib2_1.4.0-1.1.dsc
2657e5b2c7bba91763e2049d05ceeb39a357de91 56178 imlib2_1.4.0-1.1.diff.gz
37fec85132ad667a5f283b7a31481ee1f9f7be81 212816 libimlib2_1.4.0-1.1_amd64.deb
15adcd00cbe4d379a1959c82195172555f1ef774 365402
libimlib2-dev_1.4.0-1.1_amd64.deb
Checksums-Sha256:
6d1ea007c2912e7c21660e1450421d0cbe6574799cd8c8fceb947eebd65cb0e1 1118
imlib2_1.4.0-1.1.dsc
86a1e22868b21050fd6cceca04fb7fa7652983205cea9b552188fb0a970b8dac 56178
imlib2_1.4.0-1.1.diff.gz
568af174670db60f5f26d1180a94085ed65cc393833b78ce4b767ac06347ca17 212816
libimlib2_1.4.0-1.1_amd64.deb
157714bd88cd60c9cadec1be2a9a814bc7766448991810d10789bbd684994482 365402
libimlib2-dev_1.4.0-1.1_amd64.deb
Files:
5c6377c69f66ede6299faf9258cfc13b 1118 libs optional imlib2_1.4.0-1.1.dsc
3e247df7b87409d012e2458f748f5384 56178 libs optional imlib2_1.4.0-1.1.diff.gz
81d1332e0c1047e91a2c80c39bf629e7 212816 libs optional
libimlib2_1.4.0-1.1_amd64.deb
2033c2107302c7a22e3d062240f42867 365402 libdevel optional
libimlib2-dev_1.4.0-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIQVa6HYflSXNkfP8RAgSaAJ4s+eVmfzrdOD+10FNVbuaLqa68KACfdB9V
3BpoLtRM0aEXpY45sTJqLME=
=63i6
-----END PGP SIGNATURE-----
--- End Message ---
