Debian Bug report logs -
#580628
dvipng: CVE-2010-0829
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Fri, 7 May 2010 10:09:02 UTC
Severity: grave
Tags: security
Fixed in version dvipng/1.13-1
Done: Varun Hiremath <varun@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Varun Hiremath <varun@debian.org>:
Bug#580628; Package dvipng.
(Fri, 07 May 2010 10:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Varun Hiremath <varun@debian.org>.
(Fri, 07 May 2010 10:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dvipng
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638
Could you prepare an updated package for stable-security and send it
to team@security.debian.org
Cheers,
Moritz
Reply sent
to Varun Hiremath <varun@debian.org>:
You have taken responsibility.
(Sat, 08 May 2010 04:21:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 08 May 2010 04:21:05 GMT) (full text, mbox, link).
Message #10 received at 580628-close@bugs.debian.org (full text, mbox, reply):
Source: dvipng
Source-Version: 1.13-1
We believe that the bug you reported is fixed in the latest version of
dvipng, which is due to be installed in the Debian FTP archive:
dvipng_1.13-1.debian.tar.gz
to main/d/dvipng/dvipng_1.13-1.debian.tar.gz
dvipng_1.13-1.dsc
to main/d/dvipng/dvipng_1.13-1.dsc
dvipng_1.13-1_amd64.deb
to main/d/dvipng/dvipng_1.13-1_amd64.deb
dvipng_1.13.orig.tar.gz
to main/d/dvipng/dvipng_1.13.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 580628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Varun Hiremath <varun@debian.org> (supplier of updated dvipng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 07 May 2010 23:42:19 -0400
Source: dvipng
Binary: dvipng
Architecture: source amd64
Version: 1.13-1
Distribution: unstable
Urgency: low
Maintainer: Varun Hiremath <varun@debian.org>
Changed-By: Varun Hiremath <varun@debian.org>
Description:
dvipng - convert DVI files to PNG graphics
Closes: 580628
Changes:
dvipng (1.13-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2010-0829, (Closes: #580628)
* Switch to source format 3.0
* Bump Standards-Version to 3.8.4
Checksums-Sha1:
c5f448d41a844e67bc3855fa1f41b890308bb74d 1182 dvipng_1.13-1.dsc
626568203e3f799c99da0f3e31edecb13ce202b6 169309 dvipng_1.13.orig.tar.gz
683e9a3cb4f9e5c8d430d94e489f3494e8f2a7d2 4472 dvipng_1.13-1.debian.tar.gz
299cb243ee0c68f617cc3b235b5906ba07f1b097 89740 dvipng_1.13-1_amd64.deb
Checksums-Sha256:
30b44e8e1f8e6325af64e1e339322473a0abf5b57687b2d62baa2e88060f95d5 1182 dvipng_1.13-1.dsc
cbbffb2769fddaeb904d255da4a09ded06699fa2c5cdc076b784645f59cfa5ab 169309 dvipng_1.13.orig.tar.gz
fae81b10b3337f33743319fe4e66fbed627184f094e94ef2c63f9756a4aee681 4472 dvipng_1.13-1.debian.tar.gz
e36aab650a81a2a822f54a5d114f8a938712dceb7466e8d02f0bb79d86f9dd20 89740 dvipng_1.13-1_amd64.deb
Files:
b956be3f888644e99582fc402e32c345 1182 utils optional dvipng_1.13-1.dsc
da8d062977cbfeb2fb39b81d28d0b7f3 169309 utils optional dvipng_1.13.orig.tar.gz
c0c1270fa0fd8401748d807b322bb272 4472 utils optional dvipng_1.13-1.debian.tar.gz
8a354091f7b99309e54908964fde37fb 89740 utils optional dvipng_1.13-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFL5OGzPEFSUMxFMZcRAgqRAKC/RJCluUSay1QmW9foUNu/qfWEUgCfXC2V
3I/ees8Jyinjkjyl0PvdZgM=
=qIj4
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#580628; Package dvipng.
(Sat, 08 May 2010 05:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Varun Hiremath <varun@debian.org>:
Extra info received and forwarded to list.
(Sat, 08 May 2010 05:03:03 GMT) (full text, mbox, link).
Message #15 received at 580628@bugs.debian.org (full text, mbox, reply):
Hi Debian Security Team,
On Fri, 07 May, 2010 at 11:59:11AM +0200, Moritz Muehlenhoff wrote:
> Package: dvipng
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638
>
> Could you prepare an updated package for stable-security and send it
> to team@security.debian.org
>
> Cheers,
> Moritz
I have prepared a stable-security update for the dvipng package which
fixes CVE-2010-0829, which can be found here:
http://people.debian.org/~varun/dvipng_1.11-1+lenny1.dsc
Please let me know if it fits the requirements and if I can upload it
to stable-security.
Thanks,
Varun
Information forwarded
to debian-bugs-dist@lists.debian.org, Varun Hiremath <varun@debian.org>:
Bug#580628; Package dvipng.
(Tue, 11 May 2010 19:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Varun Hiremath <varun@debian.org>.
(Tue, 11 May 2010 19:15:03 GMT) (full text, mbox, link).
Message #20 received at 580628@bugs.debian.org (full text, mbox, reply):
On Sat, May 08, 2010 at 12:59:45AM -0400, Varun Hiremath wrote:
> Hi Debian Security Team,
>
> On Fri, 07 May, 2010 at 11:59:11AM +0200, Moritz Muehlenhoff wrote:
> > Package: dvipng
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638
> >
> > Could you prepare an updated package for stable-security and send it
> > to team@security.debian.org
> >
> > Cheers,
> > Moritz
>
> I have prepared a stable-security update for the dvipng package which
> fixes CVE-2010-0829, which can be found here:
> http://people.debian.org/~varun/dvipng_1.11-1+lenny1.dsc
>
> Please let me know if it fits the requirements and if I can upload it
> to stable-security.
Thanks. I've opened a ticket in our RT to that the update gets processed.
Since this is a low urgency issue other issues are likely to be scheduled
earlier.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:34:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon