Debian Bug report logs -
#426862
CVE-2007-2452 -- heap overflow in locate
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 31 May 2007 11:15:07 UTC
Severity: important
Tags: security
Found in versions findutils/4.1.20-6, findutils/4.2.28-1
Fixed in versions 4.2.31-1, 4.3.8-1, findutils/4.2.28-1etch4
Done: Andreas Metzler <ametzler@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#426862; Package findutils.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: findutils
Severity: important
Tags: security
findutils 4.2.31 fixes a security bug:
http://lists.gnu.org/archive/html/info-gnu/2007-05/msg00012.html
Please mention the name CVE-2007-2452 in the changelog when fixing
this bug.
Bug marked as found in version 4.1.20-6.
Request was from Andreas Metzler <ametzler@debian.org>
to control@bugs.debian.org.
(Sat, 02 Jun 2007 07:57:03 GMT) (full text, mbox, link).
Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 426862-close@bugs.debian.org (full text, mbox, reply):
Source: findutils
Source-Version: 4.2.31-1
We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:
findutils_4.2.31-1.diff.gz
to pool/main/f/findutils/findutils_4.2.31-1.diff.gz
findutils_4.2.31-1.dsc
to pool/main/f/findutils/findutils_4.2.31-1.dsc
findutils_4.2.31-1_i386.deb
to pool/main/f/findutils/findutils_4.2.31-1_i386.deb
findutils_4.2.31.orig.tar.gz
to pool/main/f/findutils/findutils_4.2.31.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 426862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 2 Jun 2007 09:55:27 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.2.31-1
Distribution: unstable
Urgency: medium
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
findutils - utilities for finding files--find, xargs, and locate
Closes: 412459 420190 426862
Changes:
findutils (4.2.31-1) unstable; urgency=medium
.
* Undo workaround for savannah #19550, since it is a glibc bug.
* New upstream bugfix release:
- Fixes locate heap buffer overflow when using databases in old format.
(CVE-2007-2452) Closes: #426862
- make clean does not delete regexprops.texi if cross-building.
(Closes: #420190)
- [-version] instead of [--version] in locate --help. (Closes: #412459)
Files:
16f4e628a8e63cca5464b7d48f2cb28f 663 utils required findutils_4.2.31-1.dsc
a0e31a0f18a49709bf5a449867c8049a 1326294 utils required findutils_4.2.31.orig.tar.gz
f26ca47a383c7e9b3c7e4e26d1ce21ec 14516 utils required findutils_4.2.31-1.diff.gz
75742515ce14edd06f2804423d4a8a84 422370 utils required findutils_4.2.31-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGYS2kHTOcZYuNdmMRAqYFAJ4qoYDi1tGrOpmNaazM63CzlxZpEgCeJkX8
xIG+vJLbRI4XB2FMZfPITFs=
=w/8/
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#426862; Package findutils.
(full text, mbox, link).
Acknowledgement sent to Marc Haber <mh+debian-bugs@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #17 received at 426862@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 02, 2007 at 09:02:03AM +0000, Andreas Metzler wrote:
> - Fixes locate heap buffer overflow when using databases in old format.
> (CVE-2007-2452) Closes: #426862
Is this going to be addressed for etch?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#426862.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#426862; Package findutils.
(full text, mbox, link).
Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #25 received at 426862@bugs.debian.org (full text, mbox, reply):
On 2007-06-18 Marc Haber <mh+debian-bugs@zugschlus.de> wrote:
> On Sat, Jun 02, 2007 at 09:02:03AM +0000, Andreas Metzler wrote:
> > - Fixes locate heap buffer overflow when using databases in old format.
> > (CVE-2007-2452) Closes: #426862
> Is this going to be addressed for etch?
There won't be a DSA due to the obscure attack vector, I will try for
a regular update to stable, though.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#426862.
(full text, mbox, link).
Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #33 received at 426862-close@bugs.debian.org (full text, mbox, reply):
Source: findutils
Source-Version: 4.3.8-1
We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:
findutils_4.3.8-1.diff.gz
to pool/main/f/findutils/findutils_4.3.8-1.diff.gz
findutils_4.3.8-1.dsc
to pool/main/f/findutils/findutils_4.3.8-1.dsc
findutils_4.3.8-1_i386.deb
to pool/main/f/findutils/findutils_4.3.8-1_i386.deb
findutils_4.3.8.orig.tar.gz
to pool/main/f/findutils/findutils_4.3.8.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 426862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 23 Jun 2007 09:05:25 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.3.8-1
Distribution: experimental
Urgency: low
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
findutils - utilities for finding files--find, xargs, and locate
Closes: 400936 426505 426862
Changes:
findutils (4.3.8-1) experimental; urgency=low
.
* New upstream version 4.3.8.
- Fixes locate heap buffer overflow when using databases in old format.
(CVE-2007-2452) Closes: #426862
- Fixes savannah bug #20005: Tests -mtime -n and -mtime +n incorrectly
treated like -mtime n. Closes: #426505
- Correct docs for %b printf specifier. (Closes: #400936)
* Pulled from CVS: 01_sv-bug-20139.dpatch:
find -[acm]time -N (wrongly) includes files from N days ago, as well as
(correctly) from less than N days ago.
Files:
7418440bf585ca1a81608b5e02a9a96a 660 utils required findutils_4.3.8-1.dsc
b5e4f88b7b5502460c62c04f94df613d 1808049 utils required findutils_4.3.8.orig.tar.gz
c6f9eba8827ab672be030c54f2f87e97 15321 utils required findutils_4.3.8-1.diff.gz
e4628ee6738ab0b8aa72f62357071fdb 607064 utils required findutils_4.3.8-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGfNK4HTOcZYuNdmMRAtIFAJ4sPgqEvYB7z0Y79v/dfSuhQflZogCgqWhK
IUiufQ5/Su4LPnbY12aYITc=
=rqRs
-----END PGP SIGNATURE-----
Bug marked as found in version 4.2.28-1.
Request was from Andreas Metzler <ametzler@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jun 2007 09:24:02 GMT) (full text, mbox, link).
Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #40 received at 426862-close@bugs.debian.org (full text, mbox, reply):
Source: findutils
Source-Version: 4.2.28-1etch4
We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:
findutils_4.2.28-1etch4.diff.gz
to pool/main/f/findutils/findutils_4.2.28-1etch4.diff.gz
findutils_4.2.28-1etch4.dsc
to pool/main/f/findutils/findutils_4.2.28-1etch4.dsc
findutils_4.2.28-1etch4_i386.deb
to pool/main/f/findutils/findutils_4.2.28-1etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 426862@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 2 Jun 2007 11:19:57 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.2.28-1etch4
Distribution: stable
Urgency: low
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
findutils - utilities for finding files--find, xargs, and locate
Closes: 426862
Changes:
findutils (4.2.28-1etch4) stable; urgency=low
.
* Fixe locate heap buffer overflow when using databases in old format.
(CVE-2007-2452) Closes: #426862
Files:
e66a379f877524509e29e930ef0a2e3a 673 utils required findutils_4.2.28-1etch4.dsc
d8cec49d48263e64ed01398f30073ab8 17956 utils required findutils_4.2.28-1etch4.diff.gz
57e5ff463c362c17f1262d395793e798 350942 utils required findutils_4.2.28-1etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGriRYHTOcZYuNdmMRAmGOAJ4pIE8FEKo8RXsr3TC0phFxZhL1OwCeJ8Ux
Bcb9v/Fa8QuMKVy2HfNJHdE=
=FH+0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Oct 2007 07:28:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon