Your message dated Sat, 11 Apr 2009 16:47:14 +0000
with message-id <e1lsgmm-0001ss...@ries.debian.org>
and subject line Bug#520046: fixed in glib2.0 2.16.6-1+lenny1
has caused the Debian Bug report #520046,
regarding glib2.0: CVE-2008-4316 large string vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
520046: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520046
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: glib2.0
severity: grave
tags: security
it has been found that libsoup is vulnerable to an integer overflow
attack, see CVE-2008-4316 [1]. details are:
Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
context-dependent attackers to execute arbitrary code via a long
string that is converted either (1) from or (2) to a base64
representation.
since this potentially allows remote attackers to execute arbitrary
code, it should be treated with high urgency.
this was just fixed in ubuntu, so it may be possible to adopt their
patch [2].
note that bug #520039 in libsoup is related (an exact code copy).
if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog. please contact the security team to coordinate
a fix for stable and/or if you have any questions.
regards,
mike
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
[2] http://www.ubuntu.com/usn/USN-738-1
--- End Message ---
--- Begin Message ---
Source: glib2.0
Source-Version: 2.16.6-1+lenny1
We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:
glib2.0_2.16.6-1+lenny1.diff.gz
to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.diff.gz
glib2.0_2.16.6-1+lenny1.dsc
to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.dsc
libgio-fam_2.16.6-1+lenny1_amd64.deb
to pool/main/g/glib2.0/libgio-fam_2.16.6-1+lenny1_amd64.deb
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-0_2.16.6-1+lenny1_amd64.deb
libglib2.0-data_2.16.6-1+lenny1_all.deb
to pool/main/g/glib2.0/libglib2.0-data_2.16.6-1+lenny1_all.deb
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
to pool/main/g/glib2.0/libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
libglib2.0-doc_2.16.6-1+lenny1_all.deb
to pool/main/g/glib2.0/libglib2.0-doc_2.16.6-1+lenny1_all.deb
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
to pool/main/g/glib2.0/libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 520...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <sl...@debian.org> (supplier of updated glib2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 17 Mar 2009 13:40:17 +0100
Source: glib2.0
Binary: libglib2.0-0 libglib2.0-udeb libglib2.0-dev libglib2.0-0-dbg
libglib2.0-data libglib2.0-doc libgio-fam
Architecture: source all amd64
Version: 2.16.6-1+lenny1
Distribution: stable-security
Urgency: low
Maintainer: Loic Minier <l...@dooz.org>
Changed-By: Sebastian Dröge <sl...@debian.org>
Description:
libgio-fam - GLib Input, Output and Streaming Library (fam module)
libglib2.0-0 - The GLib library of C routines
libglib2.0-0-dbg - The GLib libraries and debugging symbols
libglib2.0-data - Common files for GLib library
libglib2.0-dev - Development files for the GLib library
libglib2.0-doc - Documentation files for the GLib library
libglib2.0-udeb - The GLib library of C routines - minimal runtime (udeb)
Closes: 520046
Changes:
glib2.0 (2.16.6-1+lenny1) stable-security; urgency=low
.
* SECURITY: 12_base64-overflow-CVE-2008-4316.patch:
+ Possible arbitrary code execution when processing large Base64 strings.
Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Checksums-Sha1:
ef41031a66f10049f9a76246ff122cb028559db5 1475 glib2.0_2.16.6-1+lenny1.dsc
c4a0a564cced1f1af1280294503da4d9c82616a8 6491460 glib2.0_2.16.6.orig.tar.gz
e9efad0dbaf0e9b45d016ef91a5379bea307bee1 32351 glib2.0_2.16.6-1+lenny1.diff.gz
5f3fbc3148a6e6ff0ef7e39cbfeb6a4023280d05 699192
libglib2.0-data_2.16.6-1+lenny1_all.deb
56d45e558a99f2599fea371fdcdbfc3e8104b1ab 1157604
libglib2.0-doc_2.16.6-1+lenny1_all.deb
e415966fa0d597d9dc01c48f9f4560ac52fd3cc8 826938
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
a85997c7a34b3a4f2c8f427ee93b5ad1811ee8d9 1310078
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
721ba79b29e22dfff6397c0e3ef176f667356489 989946
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
4ae74266bb44dbe012b7234357b51ec48636893e 1206420
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
420b78934ee252d4b550c481f3e35807b2f46749 46542
libgio-fam_2.16.6-1+lenny1_amd64.deb
Checksums-Sha256:
0e1aa8c2efb5c7ba81c149d7827fde908cf65150a5d946c61f95f03dc917d3fc 1475
glib2.0_2.16.6-1+lenny1.dsc
977d5720f7f43a76261804e79cade381fa874385a45bf52a9cc4440106256f88 6491460
glib2.0_2.16.6.orig.tar.gz
481d3b9a1504c3f345fd4c8565f381a2aa2b0e2b4c46fc14075dfbd71baa8a7a 32351
glib2.0_2.16.6-1+lenny1.diff.gz
04d52f677fb61ab6734a4980b08ba11c49c6a1cadea939bb4460cff887496d98 699192
libglib2.0-data_2.16.6-1+lenny1_all.deb
c9a71b104464cdcef768095c4dc4fceb3ff583e1243be0e36c0a95fcff7f5da4 1157604
libglib2.0-doc_2.16.6-1+lenny1_all.deb
08ff051800593d58a27f23ae873e1078d13d573a6486b6cf795a8e5f7dc2f586 826938
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
f6b360b8713a57063f62c6afe0903902e9e877f0798239b3c9bc51662e15d5c6 1310078
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
f648c22d8264ee05aa3c2d2f67c8ae4da5d394849d30460a34b63ed3892c83d5 989946
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
0e000649e833520181a62374d984fbc308e37594ca628a01543b19f7fe4b70b8 1206420
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
0fd5d9264484ebfa5909a492b6fe4f43d018d90f6327efb9982c31239d45462c 46542
libgio-fam_2.16.6-1+lenny1_amd64.deb
Files:
59ca34e703bf0a798746cdeca3a2c051 1475 libs optional glib2.0_2.16.6-1+lenny1.dsc
65c594a471406a377bee8171a2ea43d4 6491460 libs optional
glib2.0_2.16.6.orig.tar.gz
22cac59cf4481cdddc9802be93dc4100 32351 libs optional
glib2.0_2.16.6-1+lenny1.diff.gz
9edb95995e450eb2609589b2606c8e6b 699192 misc optional
libglib2.0-data_2.16.6-1+lenny1_all.deb
ab17084a6d7d448c1316d6e247ae5cdc 1157604 doc optional
libglib2.0-doc_2.16.6-1+lenny1_all.deb
87687e0cd4a03c7fbcaebad25ca07436 826938 libs optional
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
14bbc4e19f36469df8d57ab454a5daf0 1310078 debian-installer optional
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
66e6c9941573937ffc015fe4356d1b81 989946 libdevel optional
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
16cfc02b6ff9d1c25ecd72a25c0dd404 1206420 libdevel extra
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
8cbe7a8cd81a83ac4362b85b6c8b563c 46542 libs optional
libgio-fam_2.16.6-1+lenny1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm/qeYACgkQBsBdh1vkHyGfugCdHFI8Hazk29pHoxlWDE7/APYY
YPYAoJeQF+0JuNQJv3VU99MHwF3KkpGU
=jQle
-----END PGP SIGNATURE-----
--- End Message ---
