Your message dated Fri, 12 Feb 2016 22:07:46 +0000
with message-id <e1aulsq-0006v9...@franck.debian.org>
and subject line Bug#814067: fixed in xdelta3 3.0.8-dfsg-1.1
has caused the Debian Bug report #814067,
regarding xdelta3: CVE-2014-9765: buffer overflow in main_get_appheader
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
814067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xdelta3
Severity: grave
Tags: security upstream fixed-upstream
xdelta3 before 3.0.9 contains buffer overflow which allows arbitrary
code execution from input files at least on some systems.
3.0.0.dfsg-1 and 3.0.8-dfsg-1 are definitly affected.
08.02.2016 в 06:57:12 +0100 Salvatore Bonaccorso написал:
> On Sun, Feb 07, 2016 at 07:05:12PM +0400, Stepan Golosunov wrote:
> > This appears to be fixed in xdelta3 3.0.9 and later via
> > https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
> > but not in Debian.
> >
> > What should be done next? Should I open a bug?
>
> Yes, since the commit is in the public git repo I think it is best to
> open a bug in the Debian BTS.
> p.s.: Just noticed there seem to be two git repositories by jmacd, the
> commit is as well in
>
> https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8
README.md says that this repository contains old data from
https://code.google.com/p/xdelta. Newer code and releases are
currently only in xdelta-devel.
--- End Message ---
--- Begin Message ---
Source: xdelta3
Source-Version: 3.0.8-dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
xdelta3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 814...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated xdelta3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Feb 2016 21:33:10 +0100
Source: xdelta3
Binary: xdelta3
Architecture: source
Version: 3.0.8-dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: A Mennucc1 <mennu...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 814067
Description:
xdelta3 - Diff utility which works with binary files
Changes:
xdelta3 (3.0.8-dfsg-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2014-9765: buffer overflow in main_get_appheader (Closes: #814067)
Checksums-Sha1:
28a0399b228bf6ad82a67ae7876f7bb59de18963 1716 xdelta3_3.0.8-dfsg-1.1.dsc
8cc5ec9c6fe6a3ebd82cb5dbb38b6456ef46223a 13016
xdelta3_3.0.8-dfsg-1.1.debian.tar.xz
Checksums-Sha256:
564c83da43e18383b4bf72bbd9696710826ce708734629f6cd2af819486505a3 1716
xdelta3_3.0.8-dfsg-1.1.dsc
174fd57b6831fdec40e29420382d673dc50570b9eb6d5d47f820bc87574d67ad 13016
xdelta3_3.0.8-dfsg-1.1.debian.tar.xz
Files:
e7e2ef82a058b96dec7fc34fcf819a15 1716 utils optional xdelta3_3.0.8-dfsg-1.1.dsc
edc5fad98529aa56043d40fda1250fc6 13016 utils optional
xdelta3_3.0.8-dfsg-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWu580AAoJEAVMuPMTQ89ELI4P/1jdEq93oa55UcxJuz0uSw/N
bfV9m7j0A5LBlX0EFHn/8eqHeMJtNQoM802B2zjhAPj7rrkntCjoirCOWMaff3g/
q6u3RLt85gQJIHfFgQMdcJvgNpEkOC3FPOAuFsZYhX+qenP7RbALgofPG3XNyEb7
A5AUj6vHNdqAMKNURyXHWl8wlW3udJ+qCD1s1IfTUzpFQjflqpIO9dmGpwPThH+5
FSjH9xAajPccAR+TK6lDdLDr9OsxUbvjRXJgL5lTWbbkKa2U1IhKCeY06/OSZxKY
eeRNl8I53yFtelK7BCRpgf18+8VUGnHccZgvY5zCg0OJmyAoamL3x9E9QIW7fSnb
C1/dGOy3fTE3clyB5FursNvki0PxeEE4tE0ItVoZr3Rc+9Uz9SgpKVUos/huBWQE
/STuEWVwncEGwpcOnyupayYsusl5SibsTxXgGD4erDrv9SiBpYe+95eiZRvCtmhu
sBWIp3Rx1kup3UWiorLD9yLUX5iw+L9kPijitls7lXbmjOFix5/sY78AR99MJpV3
5C3vP/3zT6upi2pOiFVfqJJM/zCIyadf4kO3Udr1pBn25CBMcFOseHWGEN+CfIjf
n5tplp4UcDBwYsekDK8ZFRfnX6c+L6fHR64DENf29Bjmy/Dvj2fdz2NVyBvkDHJJ
CSSrvs5utlj2EK5qWe82
=ObMv
-----END PGP SIGNATURE-----
--- End Message ---
