Your message dated Fri, 21 Nov 2008 09:47:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#506377: fixed in streamripper 1.63.5-2
has caused the Debian Bug report #506377,
regarding CVE-2008-4829: Streamripper multiple buffer overflow vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
506377: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506377
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: streamripper
Version: 1.63.5-1
Severity: grave
Tags: security patch
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for
streamripper.
CVE-2008-4829/SA32562[1]:
> Secunia Research has discovered some vulnerabilities in Streamripper, which
> can be exploited by malicious people to compromise a user's system.
>
> 1) A boundary error exists within the function "http_parse_sc_header()" in
> lib/http.c when parsing an overly long HTTP header starting with
> "Zwitterion v".
>
> 2) A boundary error exists within the function "http_get_pls()" in
> lib/http.c when parsing a specially crafted pls playlist containing an
> overly long entry.
>
> 3) A boundary error exists within the function "http_get_m3u()" in
> lib/http.c when parsing a specially crafted m3u playlist containing an
> overly long "File" entry.
>
> Successful exploitation allows the execution of arbitrary code, but
> requires that a user is tricked into connecting to a malicious server.
>
> The vulnerabilities are confirmed in version 1.63.5. Other versions may
> also be affected.
The patch by upstream to fix the vulnerabilities can be found at [2].
It would be great if you could verify whether the version in etch is also
affected.
If you fix the vulnerability please also make sure to include the CVE id in
the changelog entry.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4829
http://security-tracker.debian.net/tracker/CVE-2008-4829
http://secunia.com/Advisories/32562/
[2]http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/lib/http.c?view=patch&r1=1.50&r2=1.51&pathrev=sripper-1_64_0
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: streamripper
Source-Version: 1.63.5-2
We believe that the bug you reported is fixed in the latest version of
streamripper, which is due to be installed in the Debian FTP archive:
streamripper_1.63.5-2.diff.gz
to pool/main/s/streamripper/streamripper_1.63.5-2.diff.gz
streamripper_1.63.5-2.dsc
to pool/main/s/streamripper/streamripper_1.63.5-2.dsc
streamripper_1.63.5-2_amd64.deb
to pool/main/s/streamripper/streamripper_1.63.5-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Ablassmeier <[EMAIL PROTECTED]> (supplier of updated streamripper
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 21 Nov 2008 10:03:08 +0100
Source: streamripper
Binary: streamripper
Architecture: source amd64
Version: 1.63.5-2
Distribution: unstable
Urgency: high
Maintainer: [EMAIL PROTECTED]
Changed-By: Michael Ablassmeier <[EMAIL PROTECTED]>
Description:
streamripper - download online streams into audio files
Closes: 506377
Changes:
streamripper (1.63.5-2) unstable; urgency=high
.
* Add debian/patches/CVE-2008-4829.diff, fix multiple vulnerabilities
described in CVE-2008-4829, which can result in remote code execution.
(Closes: #506377)
Checksums-Sha1:
45b5111a98be1a4ece3c1af99a8f9518e661c5cb 1085 streamripper_1.63.5-2.dsc
8d054482e01425efcfcbf509bb0ec3b6824d62c1 5325 streamripper_1.63.5-2.diff.gz
85fc0b5d3666a0e6310132520d124f5c7e246e64 90948 streamripper_1.63.5-2_amd64.deb
Checksums-Sha256:
bae0d3cfc4b92399b778390cf30bec030645132517fdf2483aaa27196887b081 1085
streamripper_1.63.5-2.dsc
f96080a038389a3a530612da248ffa1fb7cd6cab146c3ab7bcccf9ad95940be8 5325
streamripper_1.63.5-2.diff.gz
be61b571524e96a392ab86ce270c8bfe4f3509694a401240be481072f20dc9bd 90948
streamripper_1.63.5-2_amd64.deb
Files:
34f10db1eaf96cb0ce2f552525f13d37 1085 sound optional streamripper_1.63.5-2.dsc
e040237c710c8507a05e8ab2e4f061e5 5325 sound optional
streamripper_1.63.5-2.diff.gz
b1b4bf32934d627faeaff9164c18460f 90948 sound optional
streamripper_1.63.5-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkmgEYACgkQEFV7g4B8rCVEiwCfW6+9nw9sUSFo6sjZsf/mblgs
GFoAoNIOhpss2C946Z/Dk03wivnppypW
=OMiG
-----END PGP SIGNATURE-----
--- End Message ---
