Debian Bug report logs -
#606257
CVE-2010-4262: Buffer overflow
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 7 Dec 2010 21:18:01 UTC
Severity: important
Tags: patch, security
Fixed in version xfig/1:3.2.5.b-1.1
Done: Giuseppe Iuculano <iuculano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Rosenfeld <roland@debian.org>
:
Bug#606257
; Package xfig
.
(Tue, 07 Dec 2010 21:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Rosenfeld <roland@debian.org>
.
(Tue, 07 Dec 2010 21:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xfig
Severity: important
Tags: security
Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=659676 for details
and a patch. Please fix this for Squeeze.
The attack vector is fairly obscure, so we don't need a DSA for it,
you could fix it through a point update, though:
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages xfig depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxi6 2:1.3-5 X11 Input extension library
ii libxpm4 1:3.5.9-1 X11 pixmap library
ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library
ii xaw3dg 1.5+E-18 Xaw3d widget set
Versions of packages xfig recommends:
pn transfig <none> (no description available)
pn xfig-libs <none> (no description available)
Versions of packages xfig suggests:
pn cupsys-client | lpr <none> (no description available)
ii ghostscript-x [gs] 8.71~dfsg2-6 The GPL Ghostscript PostScript/PDF
ii gimp 2.6.11-1 The GNU Image Manipulation Program
ii gs 8.64~dfsg-1.1 Transitional package
pn gsfonts-x11 <none> (no description available)
ii netpbm 2:10.0-12.2+b1 Graphics conversion tools between
pn spell <none> (no description available)
pn xfig-doc <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Rosenfeld <roland@debian.org>
:
Bug#606257
; Package xfig
.
(Fri, 17 Dec 2010 16:54:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Roland Rosenfeld <roland@debian.org>
.
(Fri, 17 Dec 2010 16:54:08 GMT) (full text, mbox, link).
Message #10 received at 606257@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 07, 2010 at 10:16:36PM +0100, Moritz Muehlenhoff wrote:
> Package: xfig
> Severity: important
> Tags: security
>
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=659676 for details
> and a patch. Please fix this for Squeeze.
>
> The attack vector is fairly obscure, so we don't need a DSA for it,
> you could fix it through a point update, though:
> http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Please still fix this for Squeeze with an isolated bugfix.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Roland Rosenfeld <roland@debian.org>
:
Bug#606257
; Package xfig
.
(Wed, 29 Dec 2010 16:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>
:
Extra info received and forwarded to list. Copy sent to Roland Rosenfeld <roland@debian.org>
.
(Wed, 29 Dec 2010 16:03:02 GMT) (full text, mbox, link).
Message #15 received at 606257@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 606257 + patch
thanks
Dear maintainer,
I've prepared an NMU for xfig (versioned as 1:3.2.5.b-1.1). The diff
is attached to this message.
Regards.
Giuseppe
[xfig-3.2.5.b-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org
.
(Wed, 29 Dec 2010 16:03:04 GMT) (full text, mbox, link).
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>
:
You have taken responsibility.
(Wed, 29 Dec 2010 16:21:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Wed, 29 Dec 2010 16:21:06 GMT) (full text, mbox, link).
Message #22 received at 606257-close@bugs.debian.org (full text, mbox, reply):
Source: xfig
Source-Version: 1:3.2.5.b-1.1
We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive:
xfig-doc_3.2.5.b-1.1_all.deb
to main/x/xfig/xfig-doc_3.2.5.b-1.1_all.deb
xfig-libs_3.2.5.b-1.1_all.deb
to main/x/xfig/xfig-libs_3.2.5.b-1.1_all.deb
xfig_3.2.5.b-1.1.diff.gz
to main/x/xfig/xfig_3.2.5.b-1.1.diff.gz
xfig_3.2.5.b-1.1.dsc
to main/x/xfig/xfig_3.2.5.b-1.1.dsc
xfig_3.2.5.b-1.1_i386.deb
to main/x/xfig/xfig_3.2.5.b-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 606257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated xfig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 29 Dec 2010 16:50:04 +0100
Source: xfig
Binary: xfig xfig-doc xfig-libs
Architecture: source all i386
Version: 1:3.2.5.b-1.1
Distribution: unstable
Urgency: high
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
xfig - Facility for Interactive Generation of figures under X11
xfig-doc - XFig on-line documentation and examples
xfig-libs - XFig image libraries and examples
Closes: 606257
Changes:
xfig (1:3.2.5.b-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-4262: Stack-based buffer overflow by processing certain FIG
images (Closes: #606257)
Checksums-Sha1:
4ac02fcafa1311e6172e263668fdf57a3bd9ded7 1161 xfig_3.2.5.b-1.1.dsc
f0d19399584b5e6a914fd7d1f92945a394bd425e 48728 xfig_3.2.5.b-1.1.diff.gz
2ed55fc84ffcfa6643b3724a532d00444c2202ef 3435242 xfig-doc_3.2.5.b-1.1_all.deb
4a79ac269f8dafcad699b977a2f04f5e9d9067d1 1752754 xfig-libs_3.2.5.b-1.1_all.deb
eec420e70bf0e25625f5583245ba03011656272d 643376 xfig_3.2.5.b-1.1_i386.deb
Checksums-Sha256:
4fa74ab32c91d8356e4c7997ee69c3dcd864aeda30c44d9fa099a57fd6510513 1161 xfig_3.2.5.b-1.1.dsc
5f2d7db923cfc88ea13971b01abad09f3cb1aeac42ef6cc99501f982fb13d8f6 48728 xfig_3.2.5.b-1.1.diff.gz
151109866000fd867836422c9f47a2354b36ea540a1b4fe7eda3cd592f9b6f22 3435242 xfig-doc_3.2.5.b-1.1_all.deb
957f2a76c276a669e700c25b97d46db33c8291d748e065d9bc572befb3dcc609 1752754 xfig-libs_3.2.5.b-1.1_all.deb
2d44a0d47ecb4e2d8636cda25bd4ce760cb7e4b6bc187621c3762e0f8f45463b 643376 xfig_3.2.5.b-1.1_i386.deb
Files:
4feaad14a93211c4d5719fc3f43458e6 1161 graphics optional xfig_3.2.5.b-1.1.dsc
72d04f0adaac6623538cfb4ad07f97e3 48728 graphics optional xfig_3.2.5.b-1.1.diff.gz
b97163d3b8d2f60bd21ab8efbda2fd36 3435242 doc optional xfig-doc_3.2.5.b-1.1_all.deb
1d044702064998d699e4837341fb7e5e 1752754 graphics optional xfig-libs_3.2.5.b-1.1_all.deb
a98836898b7a04a01ee60a017d2c4aaa 643376 graphics optional xfig_3.2.5.b-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0bWsYACgkQNxpp46476apt0ACfTAi29UB9CIfF0KozT6Fh41I1
zXEAn2tclqsEChPla7+TmS6yFlr5CAzS
=rSij
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 02 Feb 2011 07:36:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:16:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.