Bug#814067: marked as done (xdelta3: CVE-2014-9765: buffer overflow in main_get_appheader)

[Debian Bug Tracking System]

Your message dated Tue, 16 Feb 2016 22:46:26 +0000
with message-id <e1avoo2-0002rs...@franck.debian.org>
and subject line Bug#814067: fixed in xdelta3 0y.dfsg-1+deb6u1
has caused the Debian Bug report #814067,
regarding xdelta3: CVE-2014-9765: buffer overflow in main_get_appheader
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
814067: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: xdelta3
Severity: grave
Tags: security upstream fixed-upstream

xdelta3 before 3.0.9 contains buffer overflow which allows arbitrary
code execution from input files at least on some systems.

3.0.0.dfsg-1 and 3.0.8-dfsg-1 are definitly affected.

08.02.2016 в 06:57:12 +0100 Salvatore Bonaccorso написал:
> On Sun, Feb 07, 2016 at 07:05:12PM +0400, Stepan Golosunov wrote:
> > This appears to be fixed in xdelta3 3.0.9 and later via
> > https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2
> > but not in Debian.
> > 
> > What should be done next? Should I open a bug?
> 
> Yes, since the commit is in the public git repo I think it is best to
> open a bug in the Debian BTS.

> p.s.: Just noticed there seem to be two git repositories by jmacd, the
>       commit is as well in
>       
> https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8

README.md says that this repository contains old data from
https://code.google.com/p/xdelta. Newer code and releases are
currently only in xdelta-devel.

--- End Message ---

--- Begin Message ---

Source: xdelta3
Source-Version: 0y.dfsg-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
xdelta3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 814...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated xdelta3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Feb 2016 11:21:13 +0100
Source: xdelta3
Binary: xdelta3 python-xdelta3
Architecture: source amd64
Version: 0y.dfsg-1+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: A Mennucc1 <mennu...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description: 
 python-xdelta3 - Xdelta3 python module
 xdelta3    - A diff utility which works with binary files
Closes: 814067
Changes: 
 xdelta3 (0y.dfsg-1+deb6u1) squeeze-lts; urgency=high
 .
   * CVE-2014-9765: Fix buffer overflow in main_get_appheader (Closes: #814067)
Checksums-Sha1: 
 22b314bfc5ed9ca04020e1d1d3c6d20ed7fe3c56 1717 xdelta3_0y.dfsg-1+deb6u1.dsc
 26ef850455d19754d5bf57d383801064facadc68 211476 xdelta3_0y.dfsg.orig.tar.gz
 89854bec61407a9318921c52dd766b5bb4323242 9170 
xdelta3_0y.dfsg-1+deb6u1.debian.tar.gz
 523ee3232b98d87ffb7602a3643b9f7e2a6d359d 90374 
xdelta3_0y.dfsg-1+deb6u1_amd64.deb
 205afb377807acca42921ff56679a98ed8ef95f9 151784 
python-xdelta3_0y.dfsg-1+deb6u1_amd64.deb
Checksums-Sha256: 
 a16adbe636b2e0c0e9a77c63287e0631e88bb4d6f910d6727c5fc0f1698b4556 1717 
xdelta3_0y.dfsg-1+deb6u1.dsc
 c81f78cd9116015788442cbdf28e53b22850495c2b53cd5c77cb5b81d2537148 211476 
xdelta3_0y.dfsg.orig.tar.gz
 3165af99ebe51d14162b5cb61a94f24c4dce5524da1caeecddcbfc1e89cf32e1 9170 
xdelta3_0y.dfsg-1+deb6u1.debian.tar.gz
 774074bb62687805c8e8e7f05f1dde62df10fd77776dd78a5f099e58b584b48e 90374 
xdelta3_0y.dfsg-1+deb6u1_amd64.deb
 44aed8093ed08d27b431afcd163f7b242113210489a2fe25ac8988722d947c55 151784 
python-xdelta3_0y.dfsg-1+deb6u1_amd64.deb
Files: 
 cd68d18ee41fbe7466fd24627a367cad 1717 utils optional 
xdelta3_0y.dfsg-1+deb6u1.dsc
 7681d456828c6f114de7535df3a8ebd2 211476 utils optional 
xdelta3_0y.dfsg.orig.tar.gz
 99f3d5b88cdff28c28e13b2ad35aa367 9170 utils optional 
xdelta3_0y.dfsg-1+deb6u1.debian.tar.gz
 1eec344bb84f1d8249bbe9c30cccf97a 90374 utils optional 
xdelta3_0y.dfsg-1+deb6u1_amd64.deb
 19a47c23e5c88af3cc82f9085eccfd10 151784 python optional 
python-xdelta3_0y.dfsg-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWwvmRAAoJEB6VPifUMR5Y0TgP/0KMz2ihZ431Uj31TDiFphsB
bcbQN/Z9z0WZubwr3KiVOptlFifkVeHiMYxQ4WLTQoKpJV92a55NFNtzzkTt0J0S
DPniGOl1C23E5h9JI+VSIj+zf7r3WpuxJUh1I8Ev5aI6Ei2ReYrQy7ddOgfazf2m
kw4QnJZNgGodde5lq78cg1CH6OkotSBvfI+gZAAiOE9iwr0pHZoVtiwZI7y2lUxm
o9t5BSvFL0KRLWI58Fo7+nEURMYLnKjkv2+V/WLG7stvoZHylD+zYRn3t0ChcZCQ
8jVkj8BoUaozgeGNtdlQtKXmg+fFzmiAC8cZv/Ss4BDtBt0c5s9F8AytGNYeNGnN
Mqzd4Iy/tb3wqGrMyiBeomOLnYLBNWVhbQo0iK6yqILQ01V8G9af5SKP6BLDXe/I
O1ujIdrMEKPToqwEXrkfuGnwEnGrO235pjbEbxDs3Vwynke3vPTU65YDqNnBniMK
kBaLS/Oyj8yMXdgX6Y8eAW6UYxi8z0qvN3TSCDrreVOLgF6gvmwDca4fzLlDLC50
6X+kyZYv+YzfUDGqVwNQ5yFoCPzvz/EK//me9akCZZxSujurK4gtKa2lfePOGUVe
wG42tGbggFi2kQKwPiFFw/o66QUbtofqyxyByObFtH1ufO9ct2AG1nVqqF3cP9US
GXW+qgGLfY7b+kSVY5P5
=QPXe
-----END PGP SIGNATURE-----

--- End Message ---