pennmush: possible vulnerabilities in pennmush cause DoS

Debian Bug report logs - #436249
pennmush: possible vulnerabilities in pennmush cause DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pennmush: possible vulnerabilities in pennmus cause DoS

Date: Tue, 07 Aug 2007 01:33:39 +1000

Package: pennmush
Severity: important

Hi

The following CVE[0] has been issued against pennmush. I am not quite
sure, if the versions in Debian are affected. Please check. The text
says:

Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1
and 1.8.2 before 1.8.2p3 allow attackers to cause a denial of service
(crash) related to the (1) speak and (2) buy functions.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1431

Message #10 received at 436249@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: control@bugs.debian.org

Cc: Wesley J. Landaker <wjl@icecavern.net>, 436249@bugs.debian.org

Subject: increase severity

Date: Wed, 12 Sep 2007 21:30:08 +1000

[Message part 1 (text/plain, inline)]

severity 436249 grave
thanks

Hi

From what I can see, there are a few issues, which should be fixed for 
testing. I heard that the current maintainer is not that responsive 
(apologies, in case I am wrong), therefore I am cc'ing the sponsor. Please 
someone fix the bugs by packaging the new upstream version, otherwise the 
testing-security team has to ask for the removal from testing.
Thanks for your efforts.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 436249@bugs.debian.org (full text, mbox, reply):

From: "Wesley J. Landaker" <wjl@icecavern.net>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 436249@bugs.debian.org

Subject: Re: Bug#436249: increase severity

Date: Wed, 12 Sep 2007 10:51:44 -0600

[Message part 1 (text/plain, inline)]

On Wednesday 12 September 2007 05:30:08 Steffen Joeris wrote:
> severity 436249 grave
> thanks

> From what I can see, there are a few issues, which should be fixed for
> testing. I heard that the current maintainer is not that responsive
> (apologies, in case I am wrong), therefore I am cc'ing the sponsor.
> Please someone fix the bugs by packaging the new upstream version,
> otherwise the testing-security team has to ask for the removal from
> testing.
> Thanks for your efforts.

Reading the CVE, I'm not sure that the bug merits "grave", but whatever, it 
needs to get fixed either way.

I'm in process of trying to contact the maintainer and see if he is going to 
fix this by packaging the new upstream (he is an active PennMUSH developer 
as far as I know). 

If not, there are some folks who will adopt this.

-- 
Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 436249@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 436249@bugs.debian.org

Subject: Re: Bug#436249: increase severity

Date: Sun, 23 Sep 2007 15:25:28 +0200

[Message part 1 (text/plain, inline)]

Hi,
any news on how the package maintainance will proceed?
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #27 received at 436249@bugs.debian.org (full text, mbox, reply):

From: "Wesley J. Landaker" <wjl@icecavern.net>

To: Nico Golde <nion@debian.org>, 436249@bugs.debian.org

Cc: Ervin Hearn III <noltar@korongil.net>

Subject: Re: Bug#436249: increase severity

Date: Sun, 23 Sep 2007 10:03:16 -0600

[Message part 1 (text/plain, inline)]

On Sunday 23 September 2007 07:25:28 Nico Golde wrote:
> Hi,
> any news on how the package maintainance will proceed?
> Kind regards
> Nico

I heard from Ervin earlier this week (sounds like he has been very busy 
moving). He said he is preparing an updated package.

-- 
Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 436249@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 436249@bugs.debian.org

Cc: Ervin Hearn III <noltar@korongil.net>, "Wesley J. Landaker" <wjl@icecavern.net>

Subject: package status

Date: Sun, 7 Oct 2007 01:43:36 +1000

[Message part 1 (text/plain, inline)]

Hi

Just wondering about the packaging progress of the new upstream version. 
Looking over the pennmush upstream changelog, it seems that a few buffer 
overflows were fixed as well. It would be really nice to get the newest 
upstream version into unstable (and then testing).

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 436249@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 436249@bugs.debian.org

Subject: package status

Date: Sat, 13 Oct 2007 19:09:45 +0200

[Message part 1 (text/plain, inline)]

Hi,
I really don't want to piss you off but see this fixed.
What is the current status.
It should not need 3 weeks to prepare a new upload should 
it? If some sponsoring is needed feel free to ping me.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #46 received at 436249@bugs.debian.org (full text, mbox, reply):

From: "Wesley J. Landaker" <wjl@icecavern.net>

To: 436249@bugs.debian.org

Cc: ehearn@pennmush.org, noltar@pennmush.org, noltar@korongil.net

Subject: Re: Bug#436249: package status

Date: Sat, 13 Oct 2007 16:39:33 -0600

[Message part 1 (text/plain, inline)]

On Saturday 13 October 2007 11:09:45 Nico Golde wrote:
> Hi,
> I really don't want to piss you off but see this fixed.
> What is the current status.
> It should not need 3 weeks to prepare a new upload should
> it? If some sponsoring is needed feel free to ping me.

I pinged Ervin a few times, but haven't heard back since the first time.

I'm CCing all his e-mail address's that I know, in case the one I've been 
using isn't working for some reason. Ervin, are you still working on this?

Also, I looked into packaging the new upstream version, but it's not 
completely trivial because the build system changed, as well as the 
database dependencies (so it would be a chance in number/type of binary 
packages if done right).

-- 
Wesley J. Landaker <wjl@icecavern.net> <xmpp:wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 436249@bugs.debian.org (full text, mbox, reply):

From: ehearn@pennmush.org

To: "Wesley J. Landaker" <wjl@icecavern.net>

Cc: 436249@bugs.debian.org, noltar@pennmush.org, noltar@korongil.net

Subject: Re: Bug#436249: package status

Date: Sat, 13 Oct 2007 22:19:39 -0600

Wesley J. Landaker wrote:
> On Saturday 13 October 2007 11:09:45 Nico Golde wrote:
>> Hi,
>> I really don't want to piss you off but see this fixed.
>> What is the current status.
>> It should not need 3 weeks to prepare a new upload should
>> it? If some sponsoring is needed feel free to ping me.
> 
> I pinged Ervin a few times, but haven't heard back since the first time.
> 
> I'm CCing all his e-mail address's that I know, in case the one I've been 
> using isn't working for some reason. Ervin, are you still working on this?
> 
> Also, I looked into packaging the new upstream version, but it's not 
> completely trivial because the build system changed, as well as the 
> database dependencies (so it would be a chance in number/type of binary 
> packages if done right).
> 

Hi,

The packaging for this will be done tomorrow. One of the open bugs required a
code change which wasn't released until last weekend when I was out of town,
followed by a busy week this past week. When I originally was contacted
regarding these packages, I made the code change and checked with our lead
developer to see when he wanted our next release. I was told it would be 2-3
days so I delayed uploading an updated package so that it could include the
latest version. Obviously that didn't happen, but every time I asked when it
would be released, it was just going to be another couple of days. In any
case, I do apologize for the delay but I had been trying to avoid
unnecessarily wasting time updating the package only to do so again a couple
of days later.

Wes, I haven't received any emails from you beyond the first couple we
exchanged three weeks ago. I'll double check to make sure they weren't
misfiled by my filters, but nothing came up when I just did a quick check.

Regards,
Ervin

Message #56 received at 436249-close@bugs.debian.org (full text, mbox, reply):

From: Ervin Hearn III <noltar@korongil.net>

To: 436249-close@bugs.debian.org

Subject: Bug#436249: fixed in pennmush 1.8.2p7-1

Date: Mon, 15 Oct 2007 06:02:04 +0000

Source: pennmush
Source-Version: 1.8.2p7-1

We believe that the bug you reported is fixed in the latest version of
pennmush, which is due to be installed in the Debian FTP archive:

pennmush-common_1.8.2p7-1_all.deb
  to pool/main/p/pennmush/pennmush-common_1.8.2p7-1_all.deb
pennmush-i18n_1.8.2p7-1_all.deb
  to pool/main/p/pennmush/pennmush-i18n_1.8.2p7-1_all.deb
pennmush-mysql_1.8.2p7-1_i386.deb
  to pool/main/p/pennmush/pennmush-mysql_1.8.2p7-1_i386.deb
pennmush_1.8.2p7-1.diff.gz
  to pool/main/p/pennmush/pennmush_1.8.2p7-1.diff.gz
pennmush_1.8.2p7-1.dsc
  to pool/main/p/pennmush/pennmush_1.8.2p7-1.dsc
pennmush_1.8.2p7-1_i386.deb
  to pool/main/p/pennmush/pennmush_1.8.2p7-1_i386.deb
pennmush_1.8.2p7.orig.tar.gz
  to pool/main/p/pennmush/pennmush_1.8.2p7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 436249@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ervin Hearn III <noltar@korongil.net> (supplier of updated pennmush package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 14 Oct 2007 22:26:42 -0600
Source: pennmush
Binary: pennmush-common pennmush pennmush-i18n pennmush-mysql
Architecture: source i386 all
Version: 1.8.2p7-1
Distribution: unstable
Urgency: low
Maintainer: Ervin Hearn III <noltar@korongil.net>
Changed-By: Ervin Hearn III <noltar@korongil.net>
Description: 
 pennmush   - text-based multi-user virtual world server
 pennmush-common - common files for the PennMUSH virtual world server
 pennmush-i18n - i18n support files for the PennMUSH virtual world server
 pennmush-mysql - text-based multi-user virtual world server with MySQL support
Closes: 395786 403711 435951 436249
Changes: 
 pennmush (1.8.2p7-1) unstable; urgency=low
 .
   * New upstream release
   * Latest upstream release fixes possible DoS vulnerabilities in
     pennmush (Closes: #436249)
   * Added missing build target to debian/rules (Closes: #395786)
   * Corrected FTBFS on GNU/kFreeBSD due to timestamp skew
     (Closes: #403711)
   * Applied patch to correct control file to make package binNMU safe
     (Closes: #435951)
Files: 
 aa6a32e277aefa7ba4a81b942f78f266 719 games optional pennmush_1.8.2p7-1.dsc
 f6c08b63129574bfcc2475dab3b741eb 2027011 games optional pennmush_1.8.2p7.orig.tar.gz
 1f4e23e0e39f5d9b34fbf8325e667f38 13748 games optional pennmush_1.8.2p7-1.diff.gz
 e709ac3d3d69795d0230cf9f9f87f3d3 399476 games optional pennmush_1.8.2p7-1_i386.deb
 93379f771464b92f65d9100b99d1fd75 500030 games optional pennmush-common_1.8.2p7-1_all.deb
 f2b97e9b063ccfe01ff87e53996df29b 355412 games optional pennmush-i18n_1.8.2p7-1_all.deb
 72a8e1c044ecd969dae94b720609bb23 403342 games optional pennmush-mysql_1.8.2p7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHEv9r8KmKTEzW49IRApk5AJ9qQ6EEJPPe8rDNIyr4NoIRIkW9+gCeMiek
Yj+/QcsuyokoIzqButQJdPo=
=4IIu
-----END PGP SIGNATURE-----

Message #61 received at 436249@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: ehearn@pennmush.org, 436249@bugs.debian.org

Cc: "Wesley J. Landaker" <wjl@icecavern.net>

Subject: Re: Bug#436249: package status

Date: Mon, 15 Oct 2007 11:23:47 +0200

[Message part 1 (text/plain, inline)]

Hi,
* ehearn@pennmush.org <ehearn@pennmush.org> [2007-10-14 11:34]:
> Wesley J. Landaker wrote:
> > On Saturday 13 October 2007 11:09:45 Nico Golde wrote:
[...] 
> The packaging for this will be done tomorrow. One of the open bugs required a
> code change which wasn't released until last weekend when I was out of town,
> followed by a busy week this past week. When I originally was contacted
> regarding these packages, I made the code change and checked with our lead
> developer to see when he wanted our next release. I was told it would be 2-3
> days so I delayed uploading an updated package so that it could include the
> latest version. Obviously that didn't happen, but every time I asked when it
> would be released, it was just going to be another couple of days. In any
> case, I do apologize for the delay but I had been trying to avoid
> unnecessarily wasting time updating the package only to do so again a couple
> of days later.
[...] 
Just saw that you uploaded fix. Thank you for this. Next 
time please include the CVE id in your changelog.
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.