Your message dated Sat, 08 Dec 2007 17:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#453686: fixed in libcairo 1.4.10-1+lenny2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libcairo
Version: 1.4.10-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libcairo.
CVE-2007-5503[0]:
| Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers
| to execute arbitrary code, as demonstrated using a crafted PNG image, which is
| not properly handled by the read_png function.
Until now this CVE seems to be reserved, see
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503 in the meanwhile.
Patches can be found on:
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360
http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
I did not check if the stable version is also prone to this.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpNp2P40aWSY.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libcairo
Source-Version: 1.4.10-1+lenny2
We believe that the bug you reported is fixed in the latest version of
libcairo, which is due to be installed in the Debian FTP archive:
libcairo-directfb2-dev_1.4.10-1+lenny2_i386.deb
to pool/main/libc/libcairo/libcairo-directfb2-dev_1.4.10-1+lenny2_i386.deb
libcairo-directfb2-udeb_1.4.10-1+lenny2_i386.udeb
to pool/main/libc/libcairo/libcairo-directfb2-udeb_1.4.10-1+lenny2_i386.udeb
libcairo-directfb2_1.4.10-1+lenny2_i386.deb
to pool/main/libc/libcairo/libcairo-directfb2_1.4.10-1+lenny2_i386.deb
libcairo2-dev_1.4.10-1+lenny2_i386.deb
to pool/main/libc/libcairo/libcairo2-dev_1.4.10-1+lenny2_i386.deb
libcairo2-doc_1.4.10-1+lenny2_all.deb
to pool/main/libc/libcairo/libcairo2-doc_1.4.10-1+lenny2_all.deb
libcairo2_1.4.10-1+lenny2_i386.deb
to pool/main/libc/libcairo/libcairo2_1.4.10-1+lenny2_i386.deb
libcairo_1.4.10-1+lenny2.diff.gz
to pool/main/libc/libcairo/libcairo_1.4.10-1+lenny2.diff.gz
libcairo_1.4.10-1+lenny2.dsc
to pool/main/libc/libcairo/libcairo_1.4.10-1+lenny2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libcairo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 03 Dec 2007 17:20:59 +0100
Source: libcairo
Binary: libcairo-directfb2-udeb libcairo-directfb2-dev libcairo-directfb2
libcairo2-doc libcairo2 libcairo2-dev
Architecture: source i386 all
Version: 1.4.10-1+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Dave Beckett <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libcairo-directfb2 - The Cairo 2D vector graphics library DirectFB build
libcairo-directfb2-dev - Development files for Cairo graphics library DirectFB
build
libcairo-directfb2-udeb - The Cairo 2D vector graphics library DirectFB build
(udeb)
libcairo2 - The Cairo 2D vector graphics library
libcairo2-dev - Development files for the Cairo 2D graphics library
libcairo2-doc - Documentation for the Cairo Multi-platform 2D graphics library
Closes: 453686
Changes:
libcairo (1.4.10-1+lenny2) testing-security; urgency=high
.
* Non-maintainer upload by testing-security team.
* Fix multiple integer overflows leading to arbitrary code
execution (CVE-2007-5503; Closes: #453686).
Files:
c19cbaf9edfa8b5b7f566ed395cabb8b 895 libs optional libcairo_1.4.10-1+lenny2.dsc
5598a5e500ad922e37b159dee72fc993 3216689 libs optional
libcairo_1.4.10.orig.tar.gz
87fda52d2ba21a183bf049aae1a915e3 28393 libs optional
libcairo_1.4.10-1+lenny2.diff.gz
d202d23c0d0502d9e29dc07d05a9c8f1 599838 libdevel optional
libcairo2-dev_1.4.10-1+lenny2_i386.deb
a1c226ab3361369e94f4666824a22d15 521558 libs optional
libcairo2_1.4.10-1+lenny2_i386.deb
59643c3dfd82bcd2ebeb124bd5d70adb 412384 libs optional
libcairo2-doc_1.4.10-1+lenny2_all.deb
331aeb587fc1972a4ce65f63b51e5eb8 183866 debian-installer optional
libcairo-directfb2-udeb_1.4.10-1+lenny2_i386.udeb
8085e2ea6496773168601e3f2a25c13c 476144 libs optional
libcairo-directfb2_1.4.10-1+lenny2_i386.deb
7a875fc23a0ec698742edd8306a94e00 544300 libdevel optional
libcairo-directfb2-dev_1.4.10-1+lenny2_i386.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHWpuXHYflSXNkfP8RApyYAKCI+9I2jrAvg6yG2u9vGowClRWvGgCfRRui
S1tkBryWoDXZhErPxmfYM4M=
=HYVB
-----END PGP SIGNATURE-----
--- End Message ---
