Processed: Re: CVE-2010-0055: Signature verification bypass
Processing commands for cont...@bugs.debian.org: > tags 572556 + patch Bug #572556 [xar] CVE-2010-0055: Signature verification bypass Added tag(s) patch. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.126872261426772.transcr...@bugs.debian.org
Bug#572556: CVE-2010-0055: Signature verification bypass
tags 572556 + patch
thanks
Hello,
I backported patch in attached file from xar svn revision 225 to
1.5.2 branch.
Thank you
Chatchai Jantaraprim
Index: xar/lib/archive.c
===
--- xar/lib/archive.c (revision 224)
+++ xar/lib/archive.c (revision 225)
@@ -330,6 +330,44 @@
EVP_DigestFinal(&XAR(ret)->toc_ctx, toccksum, &tlen);
+ const char *value;
+ uint64_t offset = 0;
+ uint64_t length = tlen;
+ if( xar_prop_get( XAR_FILE(ret) , "checksum/offset", &value) == 0 ) {
+ errno = 0;
+ offset = strtoull( value, (char **)NULL, 10);
+ if( errno != 0 ) {
+xar_close(ret);
+return NULL;
+ }
+ } else if( xar_signature_first(ret) != NULL ) {
+ // All archives that have a signature also specify the location
+ // of the checksum. If the location isn't specified, error out.
+ xar_close(ret);
+ return NULL;
+ }
+
+ XAR(ret)->heap_offset = xar_get_heap_offset(ret) + offset;
+ if( lseek(XAR(ret)->fd, XAR(ret)->heap_offset, SEEK_SET) == -1 ) {
+ xar_close(ret);
+ return NULL;
+ }
+ if( xar_prop_get( XAR_FILE(ret) , "checksum/size", &value) == 0 ) {
+ errno = 0;
+ length = strtoull( value, (char **)NULL, 10);
+ if( errno != 0 ) {
+xar_close(ret);
+return NULL;
+ }
+ } else if( xar_signature_first(ret) != NULL ) {
+ xar_close(ret);
+ return NULL;
+ }
+ if( length != tlen ) {
+ xar_close(ret);
+ return NULL;
+ }
+
xar_read_fd(XAR(ret)->fd, cval, tlen);
XAR(ret)->heap_offset += tlen;
if( memcmp(cval, toccksum, tlen) != 0 ) {
Bug#574023: Removed package(s) from unstable
We believe that the bug you reported is now fixed; the following package(s) have been removed from unstable: libxar1 |1.5.2-2 | alpha, amd64, armel, hppa, hurd-i386, i386, ia64, mips, mipsel, powerpc, s390, sparc libxar1-dev |1.5.2-2 | alpha, amd64, armel, hppa, hurd-i386, i386, ia64, mips, mipsel, powerpc, s390, sparc xar |1.5.2-2 | source, alpha, amd64, armel, hppa, hurd-i386, i386, ia64, mips, mipsel, powerpc, s390, sparc --- Reason --- RoQA; security buggy, orphaned, mostly unused -- Note that the package(s) have simply been removed from the tag database and may (or may not) still be in the pool; this is not a bug. The package(s) will be physically removed automatically when no suite references them (and in the case of source, when no binary references it). Please also remember that the changes have been done on the master archive (ftp-master.debian.org) and will not propagate to any mirrors (ftp.debian.org included) until the next cron.daily run at the earliest. Packages are usually not removed from testing by hand. Testing tracks unstable and will automatically remove packages which were removed from unstable when removing them from testing causes no dependency problems. The release team can force a removal from testing if it is really needed, please contact them if this should be the case. Bugs which have been reported against this package are not automatically removed from the Bug Tracking System. Please check all open bugs and close them or re-assign them to another package if the removed package was superseded by another one. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 574...@bugs.debian.org. The full log for this bug can be viewed at http://bugs.debian.org/574023 This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org. Debian distribution maintenance software pp. Alexander Reichle-Schmehl (the ftpmaster behind the curtain) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1nrzvl-0004lo...@ries.debian.org
Repondez a notre enquete et soyez recompense
Répondez à notre enquête et TENTEZ DE GAGNER : un Téléviseur LED SAMSUNG, un Séjour en Hôtel ^, un Iphone 3GS 32 Go, un sac Jimmy Choo, Et de nombreuses réductions et bons plans... ! À la fin du questionnaire, un gagnant sera tiré au sort Donnez-nous votre avis ! Le questionnaire prend moins de 3 minutes COMMENCEZ LE QUESTIONNAIRE en cliquant ici http://trc.emv2.com/HP?a=DNX7CqC8yeKv8SA9MKIjSvnnGHxKDVO1dwwX MACARTHUR Institut de sondages * Consulter le réglement. Jeu gratuit sans obligation d'achat. Photos non contractuelles. Conformément à la loi "informatique et libertés" du 6 janvier 1978, vous pouvez à tout moment accéder, faire rectifier ou supprimer les informations personnelles vous concernant ou vous opposer à leur traitement par Sélection Shopping. Si vous ne souhaitez plus recevoir d'email de la part de Sélection Shopping dans le cadre de cette opération, vous pouvez vous désabonner http://trc.emv2.com/HD?a=DNX7CqC8yeKv8SA9MKIjSvnnGHxKDVO1dAwW
Processing of tix_8.4.3-2_amd64.changes
tix_8.4.3-2_amd64.changes uploaded successfully to localhost along with the files: tix_8.4.3-2.dsc tix_8.4.3.orig.tar.gz tix_8.4.3-2.diff.gz tix_8.4.3-2_amd64.deb tix-dev_8.4.3-2_amd64.deb Greetings, Your Debian queue daemon (running on host ries.debian.org) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1nrfby-0004um...@ries.debian.org
tix_8.4.3-2_amd64.changes ACCEPTED
Accepted: tix-dev_8.4.3-2_amd64.deb to main/t/tix/tix-dev_8.4.3-2_amd64.deb tix_8.4.3-2.diff.gz to main/t/tix/tix_8.4.3-2.diff.gz tix_8.4.3-2.dsc to main/t/tix/tix_8.4.3-2.dsc tix_8.4.3-2_amd64.deb to main/t/tix/tix_8.4.3-2_amd64.deb tix_8.4.3.orig.tar.gz to main/t/tix/tix_8.4.3.orig.tar.gz Override entries for your package: tix-dev_8.4.3-2_amd64.deb - optional devel tix_8.4.3-2.dsc - source libs tix_8.4.3-2_amd64.deb - optional libs Announcing to debian-devel-chan...@lists.debian.org Closing bugs: 449786 Thank you for your contribution to Debian. -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1nrfjw-0005ds...@ries.debian.org
Bug#449786: marked as done (tix: debian/watch fails to report upstream's version)
Your message dated Tue, 16 Mar 2010 22:32:38 + with message-id and subject line Bug#449786: fixed in tix 8.4.3-2 has caused the Debian Bug report #449786, regarding tix: debian/watch fails to report upstream's version to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 449786: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449786 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: tix Version: 8.4.0-6 Severity: minor Usertags: dehs-no-upstream Hello maintainer, The debian/watch file of your package on the unstable distribution fails to report upstream's version. Uscan's message follows: uscan warning: In /tmp/tix_watchqom08C, no matching hrefs for watch line http://prdownloads.sourceforge.net/tix/tix-([\d\.]*)\.tar\.gz Please note that this message is auto-generated by extracting the information from the Debian External Health Status (a.k.a. DEHS) no_upstream page[1]. At the moment of running the package version found is the one indicated in the report. If you have already fixed this issue please ignore and close this report. If you belive this message can be improved in any way don't hesitate to contact me by replying to n-submit...@bugs.debian.org (where N is the number of this bug report). If you wish not to be notified in the future contact me so I add you to the ignore list. [1] http://dehs.alioth.debian.org/no_upstream.html Kind regards, Raphael Geissert. --- End Message --- --- Begin Message --- Source: tix Source-Version: 8.4.3-2 We believe that the bug you reported is fixed in the latest version of tix, which is due to be installed in the Debian FTP archive: tix-dev_8.4.3-2_amd64.deb to main/t/tix/tix-dev_8.4.3-2_amd64.deb tix_8.4.3-2.diff.gz to main/t/tix/tix_8.4.3-2.diff.gz tix_8.4.3-2.dsc to main/t/tix/tix_8.4.3-2.dsc tix_8.4.3-2_amd64.deb to main/t/tix/tix_8.4.3-2_amd64.deb tix_8.4.3.orig.tar.gz to main/t/tix/tix_8.4.3.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 449...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christophe Trophime (supplier of updated tix package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 15 Mar 2010 16:27:40 +0100 Source: tix Binary: tix tix-dev Architecture: source amd64 Version: 8.4.3-2 Distribution: unstable Urgency: low Maintainer: Debian QA Group Changed-By: Christophe Trophime Description: tix- The Tix library for Tk -- runtime package tix-dev- The Tix library for Tk -- development package Closes: 449786 Changes: tix (8.4.3-2) unstable; urgency=low . * QA upload. * Set $dir to /usr/lib in pkgIndex.tcl * Move /usr/share/tix8.3 to /usr/share/tcltk/tk8.5/Tix8.4.3 . tix (8.4.3-1) unstable; urgency=low . * QA upload. * New upstream release . [Raphael Geissert] * Fix watch file (Closes: #449786) Checksums-Sha1: 2522dc76cfdb6012dcf7469ab47340d732e834ed 969 tix_8.4.3-2.dsc 285d2f19f907ebad002ee0266f56be620d44f174 1831503 tix_8.4.3.orig.tar.gz 77f8d540417eb5dcb26f41fe11a4d71c27e30cea 8008 tix_8.4.3-2.diff.gz 23024723070e29eb14dabc64a451c3faf628868c 340360 tix_8.4.3-2_amd64.deb 11b945c7332e311da550425b4db34b1e0ac5d524 556954 tix-dev_8.4.3-2_amd64.deb Checksums-Sha256: 722ed713d7c473bfdf99913e965bd64b49dc4c5cf50ccaa3c56da5b3fccef619 969 tix_8.4.3-2.dsc 562f040ff7657e10b5cffc2c41935f1a53c6402eb3d5f3189113d734fd6c03cb 1831503 tix_8.4.3.orig.tar.gz 2b80666d3c2788128f9ba80d1d1e93270cfc1996d0ee732f00423d365334e3d2 8008 tix_8.4.3-2.diff.gz 3cdd4f95878b7eb901ef0086b0a1139d69201468b6533fe219ac75c2bcf26265 340360 tix_8.4.3-2_amd64.deb fbec11b1536b2f1e0e82fbfa9943abc6c0f8c5a4793b837c4b1bd000336173ea 556954 tix-dev_8.4.3-2_amd64.deb Files: ed1e90a0b8553e93a12ce2dcef22710e 969 libs optional tix_8.4.3-2.dsc 2b8bf4b10a852264678182652f477e59 1831503 libs optional tix_8.4.3.orig.tar.gz 14550c471de0dea921e2719b90160d74 8008 libs optional tix_8.4.3-2.diff.gz 3e9d6031755ea1982d9168058ef1d859 340360 libs optional tix_8.4.3-2_amd64.deb 402192c256ea8bda927faa05b2cf9931 556954 devel optional tix-dev_8.4.3-2_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkugA1UACgk
Bug#574189: Please provide a curl-gnutls package for debugging
Source: curl Version: 7.20.0-1 Severity: wishlist curl uses OpenSSL for SSL support, but various packages using libcurl-gnutls use GnuTLS. It would be nice for debugging to have a curl-gnutls binary built with libcurl-gnutls, to quickly check if a problem is going to show up for all users of libcurl-gnutls or just one. What do you think? Jonathan -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100316230446.ga25...@progeny.tock
Bug#342719: curl: Please build against libcurl3-gnutls
forcemerge 574189 342719 thanks Adrian Bunk wrote: > It would be nice if the curl package was built against libcurl3-gnutls. In an attempt at reading your mind, I’m guessing your reasoning was the same as mine: > curl uses OpenSSL for SSL support, but various packages using > libcurl-gnutls use GnuTLS. It would be nice for debugging to have a > curl-gnutls binary built with libcurl-gnutls, to quickly check if a > problem is going to show up for all users of libcurl-gnutls or just > one. An alternative reason would be to avoid having two SSL implementations at all, but I think there are other places to start for that. Anyway, please unmerge if I misunderstood. Cheers, Jonathan -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100316235801.ga26...@progeny.tock
Processed: Re: curl: Please build against libcurl3-gnutls
Processing commands for cont...@bugs.debian.org: > reassign 342719 src:curl Bug #342719 [curl] curl: Please build against libcurl3-gnutls Bug reassigned from package 'curl' to 'src:curl'. Bug No longer marked as found in versions curl/7.15.1-1. > forcemerge 574189 342719 Bug#574189: Please provide a curl-gnutls package for debugging Bug#342719: curl: Please build against libcurl3-gnutls Forcibly Merged 342719 574189. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.12687862213344.transcr...@bugs.debian.org
Packages//*Celular 2 Chips+TV+Palm !!!
finessed [4 -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/40030449.453tuwv868797...@curl
