Debian Bug report logs -
#832959
xmlrpc-epi: CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 30 Jul 2016 04:42:12 UTC
Severity: grave
Tags: fixed, patch, security, upstream
Found in version xmlrpc-epi/0.54.2-1
Fixed in versions xmlrpc-epi/0.54.2-1+deb7u1, xmlrpc-epi/0.54.2-1.2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robin Cornelius <robin.cornelius@gmail.com>:
Bug#832959; Package src:xmlrpc-epi.
(Sat, 30 Jul 2016 04:42:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Robin Cornelius <robin.cornelius@gmail.com>.
(Sat, 30 Jul 2016 04:42:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xmlrpc-epi
Version: 0.54.2-1
Severity: grave
Tags: security upstream patch
Control: tags -1 fixed 0.54.2-1+deb7u1
Hi,
the following vulnerability was published for xmlrpc-epi. AFAICS it is
used by php7.0 in stretch from system. For stable this probably does
not warrant a DSA, since nothing depending on it.
CVE-2016-6296[0]:
| Integer signedness error in the simplestring_addn function in
| simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before
| 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote
| attackers to cause a denial of service (heap-based buffer overflow) or
| possibly have unspecified other impact via a long first argument to
| the PHP xmlrpc_encode_request function.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6296
Regards,
Salvatore
Added tag(s) fixed.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 30 Jul 2016 04:42:16 GMT) (full text, mbox, link).
Marked as fixed in versions xmlrpc-epi/0.54.2-1+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 30 Jul 2016 04:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Robin Cornelius <robin.cornelius@gmail.com>:
Bug#832959; Package src:xmlrpc-epi.
(Sat, 13 Aug 2016 17:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Robin Cornelius <robin.cornelius@gmail.com>.
(Sat, 13 Aug 2016 17:21:04 GMT) (full text, mbox, link).
Message #14 received at 832959@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 832959 + pending
Dear maintainer,
I've prepared an NMU for xmlrpc-epi (versioned as 0.54.2-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[xmlrpc-epi-0.54.2-1.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 832959-submit@bugs.debian.org.
(Sat, 13 Aug 2016 17:21:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 15 Aug 2016 17:39:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Aug 2016 17:39:16 GMT) (full text, mbox, link).
Message #21 received at 832959-close@bugs.debian.org (full text, mbox, reply):
Source: xmlrpc-epi
Source-Version: 0.54.2-1.2
We believe that the bug you reported is fixed in the latest version of
xmlrpc-epi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832959@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xmlrpc-epi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Aug 2016 19:11:42 +0200
Source: xmlrpc-epi
Binary: libxmlrpc-epi-dev libxmlrpc-epi0 libxmlrpc-epi0-dbg
Architecture: source
Version: 0.54.2-1.2
Distribution: unstable
Urgency: medium
Maintainer: Robin Cornelius <robin.cornelius@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 832959
Description:
libxmlrpc-epi-dev - Development files for libxmlrpc-epi0, a XML-RPC request library
libxmlrpc-epi0 - XML-RPC request serialisation/deserialisation library
libxmlrpc-epi0-dbg - Debug symbols for libxmlrpc-epi0, a XML-RPC request library
Changes:
xmlrpc-epi (0.54.2-1.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn
(Closes: #832959)
Checksums-Sha1:
ae2305dbcaaf512e2e7e010455b079345e6f1201 2100 xmlrpc-epi_0.54.2-1.2.dsc
3ca1a91e42090bc552bbce07dfc6e8580fad2aa1 4644 xmlrpc-epi_0.54.2-1.2.diff.gz
Checksums-Sha256:
6f100d957e13da826e034b2c0fe940b9bc32c29cab05b6e80a5eb0d68b2598d3 2100 xmlrpc-epi_0.54.2-1.2.dsc
b83401db30bac8fa078fdb5dd2d0527a4c55a3a5ce08e1852451ad21cfddb052 4644 xmlrpc-epi_0.54.2-1.2.diff.gz
Files:
d754249bad45d7a7e995c7b1aa7cce6f 2100 libs extra xmlrpc-epi_0.54.2-1.2.dsc
e3dcb31c6bea3033454ad1057be29808 4644 libs extra xmlrpc-epi_0.54.2-1.2.diff.gz
-----BEGIN PGP SIGNATURE-----
iQIvBAEBCgAZBQJXr1YbEhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRPcy
D/9JeoZDmhPumdDDaPubToDpRwtHBLFPvw9alQQZ5r6oe3aQPk1xQE7S7SV1Jb6F
s4KsFt5FGi+XcXbULT25eMR95JkrIO10Z84d61lHn/0SXz+wWYuJaPweYKHMHhbA
bZr1xFmmrLIr4D2TWVIrEKvr/j4EZxhqGm34PSHjbzSgsWAiEJB7ulwRPFUfKWJM
+QGJDkPGKsCMfVMUaO4qAMlwGDrCtt69Q2PwKuliDWplvMqXm6JeBAPRurKcXvDG
cYBEPKke0Ggu2LWy0N6wlB94XUvusZvBqjxb20aWS5zVktHPSVXIbH/LUrG03qq8
VbzYcYGQbYfoCxQBOrLqskDNbRA13UGGtM8rLmKVr7GbC+54uE/jgcqT8Zmo1fXM
kosGsBGa+Gw+eHFi3dhQPfktaHxQ0CEwz9+Z5jcfY80cV2N7UJm4E4RM4qvcKtWT
P1x+GCVmwQfgGCGgSLBojFNdcT62j0JVZpKZRZWs3B+TQCTO/yk5ocGr3meXXg7i
FUFSThUOI7p4HeVzrGGdzE9uwJZAbX8+8Uf8gttLnv25uSyf0kR55qzVO3dLpreA
1yM2iLiUqCUALuesvnNslFMUtSl7wu7BhUzsIJFE5O9buS0pz9tKgxEe11oKgzvU
IvZENGf3BYS9PsKlVeMlfneLOuxvvgYR5t93IUdYfYvJrw==
=MGJ+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 10:03:01 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:52:22 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:45:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon