Debian Bug report logs -
#625302
dtach: CVE-2012-3368 random text sent on window close
Reported by: Tom Woodward <tomwoodward.mail@gmail.com>
Date: Tue, 3 May 2011 10:42:13 UTC
Severity: important
Tags: patch, security
Found in version dtach/0.8-2
Fixed in versions dtach/0.8-2.1, dtach/0.8-2+squeeze1
Done: Stefan Völkel <stefan@bc-bd.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, tomwoodward.mail@gmail.com, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Tue, 03 May 2011 10:42:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Woodward <tomwoodward.mail@gmail.com>:
New Bug report received and forwarded. Copy sent to tomwoodward.mail@gmail.com, Stefan Völkel <stefan@bc-bd.org>.
(Tue, 03 May 2011 10:42:19 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dtach
Version: 0.8-2
Severity: important
If the terminal window is closed without detaching the session, a string of random characters seems to be sent to the application in the session. This can cause some problems - for example the text can be a message in irssi, or can affect settings in rtorrent.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dtach depends on:
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
dtach recommends no packages.
dtach suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Tue, 03 May 2011 11:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to bd@bc-bd.org:
Extra info received and forwarded to list. Copy sent to Stefan Völkel <stefan@bc-bd.org>.
(Tue, 03 May 2011 11:45:04 GMT) (full text, mbox, link).
Message #10 received at 625302@bugs.debian.org (full text, mbox, reply):
> If the terminal window is closed without detaching the session, a string of
> random characters seems to be sent to the application in the session. This
> can cause some problems - for example the text can be a message in irssi, or
> can affect settings in rtorrent.
What terminal emulator are you using?
Does it happen with different ones?
--
BOFH excuse #25:
Decreasing electron flux
Added tag(s) security.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 29 Jun 2012 06:27:04 GMT) (full text, mbox, link).
Changed Bug title to 'dtach: CVE-2012-3368 random text sent on window close' from 'dtach: random text sent on window close'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Fri, 29 Jun 2012 06:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Mon, 02 Jul 2012 01:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Stefan Völkel <stefan@bc-bd.org>.
(Mon, 02 Jul 2012 01:15:02 GMT) (full text, mbox, link).
Message #19 received at 625302@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 625302 + patch
tags 625302 + pending
thanks
Dear maintainer,
I've prepared an NMU for dtach (versioned as 0.8-2.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
[dtach-0.8-2.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2012 01:15:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Luk Claes <luk@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2012 01:15:05 GMT) (full text, mbox, link).
Reply sent
to Luk Claes <luk@debian.org>:
You have taken responsibility.
(Mon, 02 Jul 2012 21:36:05 GMT) (full text, mbox, link).
Notification sent
to Tom Woodward <tomwoodward.mail@gmail.com>:
Bug acknowledged by developer.
(Mon, 02 Jul 2012 21:36:06 GMT) (full text, mbox, link).
Message #28 received at 625302-close@bugs.debian.org (full text, mbox, reply):
Source: dtach
Source-Version: 0.8-2.1
We believe that the bug you reported is fixed in the latest version of
dtach, which is due to be installed in the Debian FTP archive:
dtach_0.8-2.1.diff.gz
to main/d/dtach/dtach_0.8-2.1.diff.gz
dtach_0.8-2.1.dsc
to main/d/dtach/dtach_0.8-2.1.dsc
dtach_0.8-2.1_i386.deb
to main/d/dtach/dtach_0.8-2.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 625302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luk Claes <luk@debian.org> (supplier of updated dtach package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 02 Jul 2012 01:53:44 +0200
Source: dtach
Binary: dtach
Architecture: source i386
Version: 0.8-2.1
Distribution: unstable
Urgency: high
Maintainer: Stefan Völkel <stefan@bc-bd.org>
Changed-By: Luk Claes <luk@debian.org>
Description:
dtach - emulates the detach/attach feature of screen
Closes: 625302
Changes:
dtach (0.8-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2012-3368: properly handle close request (Closes: #625302).
Checksums-Sha1:
a87102c2da9f3de67c9e7b12028d48bf4e18c8f9 961 dtach_0.8-2.1.dsc
c4c8e5ac71dcd948627c97b82ed7280d0ddf915b 2582 dtach_0.8-2.1.diff.gz
5d488e8f10542dc1027074ad7e8f0c21133371f5 14660 dtach_0.8-2.1_i386.deb
Checksums-Sha256:
47d69da96921830ea67457bf8b3807449350618bb65cbfa3bcab690d260ac0ae 961 dtach_0.8-2.1.dsc
680230016422f58859986450f8b3215d6e79dfcc6e533f38d84c722f55d7c597 2582 dtach_0.8-2.1.diff.gz
1c66346e8d59b168a66ccd61bea9989f4581f344ecb594d63c7e15c999161468 14660 dtach_0.8-2.1_i386.deb
Files:
e322bfd9d563d09adc06ba67a2be3675 961 misc optional dtach_0.8-2.1.dsc
2d2a8e9c0227d0ddb1c07c68c7e816cf 2582 misc optional dtach_0.8-2.1.diff.gz
e7df6395c884516a4a5dff00cf37a6c3 14660 misc optional dtach_0.8-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk/yEg0ACgkQ+C5cwEsrK55FfQCfUnYX1cgdXATc94reVaWsc4s6
F4oAn2wd84a57sYRPmw1N49a+nCqQtxa
=hPAN
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Wed, 04 Jul 2012 15:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan <bd@bc-bd.org>:
Extra info received and forwarded to list. Copy sent to Stefan Völkel <stefan@bc-bd.org>.
(Wed, 04 Jul 2012 15:09:09 GMT) (full text, mbox, link).
Message #33 received at 625302@bugs.debian.org (full text, mbox, reply):
Hi Luk,
I am on vacation so please go ahead.
Has this already been reported upstream?
Stefan
On 07/02/2012 03:03 AM, Luk Claes wrote:
> tags 625302 + patch
> tags 625302 + pending
> thanks
>
> Dear maintainer,
>
> I've prepared an NMU for dtach (versioned as 0.8-2.1) and
> uploaded it to DELAYED/02. Please feel free to tell me if I
> should delay it longer.
>
> Cheers
>
> Luk
Information forwarded
to debian-bugs-dist@lists.debian.org, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Wed, 04 Jul 2012 15:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Stefan Völkel <stefan@bc-bd.org>.
(Wed, 04 Jul 2012 15:15:05 GMT) (full text, mbox, link).
Message #38 received at 625302@bugs.debian.org (full text, mbox, reply):
Hi Stefan
It's not reported upsteam AFAIK. I'm just fixing RC and security bugs
for the upcoming release of wheezy.
Cheers
Luk
On 07/02/2012 09:30 AM, Stefan wrote:
> Hi Luk,
>
> I am on vacation so please go ahead.
>
> Has this already been reported upstream?
>
> Stefan
>
> On 07/02/2012 03:03 AM, Luk Claes wrote:
>> tags 625302 + patch
>> tags 625302 + pending
>> thanks
>>
>> Dear maintainer,
>>
>> I've prepared an NMU for dtach (versioned as 0.8-2.1) and
>> uploaded it to DELAYED/02. Please feel free to tell me if I
>> should delay it longer.
>>
>> Cheers
>>
>> Luk
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Aug 2012 07:25:47 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Thu, 17 Jan 2013 17:03:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Stefan Völkel <stefan@bc-bd.org>:
Bug#625302; Package dtach.
(Fri, 18 Jan 2013 13:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Stefan Völkel <stefan@bc-bd.org>.
(Fri, 18 Jan 2013 13:06:03 GMT) (full text, mbox, link).
Message #47 received at 625302@bugs.debian.org (full text, mbox, reply):
Package: dtach
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/625302/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Reply sent
to Stefan Völkel <stefan@bc-bd.org>:
You have taken responsibility.
(Sun, 10 Feb 2013 16:21:09 GMT) (full text, mbox, link).
Notification sent
to Tom Woodward <tomwoodward.mail@gmail.com>:
Bug acknowledged by developer.
(Sun, 10 Feb 2013 16:21:09 GMT) (full text, mbox, link).
Message #52 received at 625302-close@bugs.debian.org (full text, mbox, reply):
Source: dtach
Source-Version: 0.8-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
dtach, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 625302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Völkel <stefan@bc-bd.org> (supplier of updated dtach package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 07 Feb 2013 17:04:48 +0100
Source: dtach
Binary: dtach
Architecture: source i386
Version: 0.8-2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Stefan Völkel <stefan@bc-bd.org>
Changed-By: Stefan Völkel <stefan@bc-bd.org>
Description:
dtach - emulates the detach/attach feature of screen
Closes: 625302
Changes:
dtach (0.8-2+squeeze1) stable; urgency=low
.
* Fix CVE-2012-3368: properly handle close request (Closes: #625302).
Checksums-Sha1:
d089f07f4b58a30e5dad2c9614051244c0eab916 949 dtach_0.8-2+squeeze1.dsc
19a29a4c663b9e400a1d5a9851124858eb9bfcdd 2544 dtach_0.8-2+squeeze1.diff.gz
3029f7dceba4d77b98e088fb729329ece969b76a 14504 dtach_0.8-2+squeeze1_i386.deb
Checksums-Sha256:
1fbfb4930f3aaa4e63b1f102ffdb76fec9ff6285d4fd37eba09527a8846e79c8 949 dtach_0.8-2+squeeze1.dsc
aa88627985fa03968f35a40b9281379512eb02d21735978d7600b4aae06ff9de 2544 dtach_0.8-2+squeeze1.diff.gz
f76052a0249f9a8e98146c66040fddbb8e934c459ddc73341df971195d75c85b 14504 dtach_0.8-2+squeeze1_i386.deb
Files:
9561fd2c414061bd91355616f503d7ac 949 misc optional dtach_0.8-2+squeeze1.dsc
a474829afb8834eeef6f0889ddf52534 2544 misc optional dtach_0.8-2+squeeze1.diff.gz
fba89eef7ebae4b452134af7c162d498 14504 misc optional dtach_0.8-2+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlEU4VcACgkQOFrkkIaO+mat0wCg9eGf+SBhOE4XolbWI8NVwaXi
YVYAnRUK++d7lfHA+p/F4uROrcCZc3Rx
=dBY+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 11 Mar 2013 07:25:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:49:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon