Debian Bug report logs -
#551070
CVE-2009-3575: Buffer overflow in DHTRoutingTableDeserializer.cc
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Thu, 15 Oct 2009 12:57:01 UTC
Severity: serious
Tags: patch, security
Found in version aria2/0.14.0-1
Fixed in versions 1.2.0-1, aria2/0.14.0-1+lenny1
Done: Kartik Mistry <kartik@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Ruckstuhl <patrick@tario.org>:
Bug#551070; Package aria2.
(Thu, 15 Oct 2009 12:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Ruckstuhl <patrick@tario.org>.
(Thu, 15 Oct 2009 12:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: aria2
Version: 0.14.0-1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for aria2.
CVE-2009-3575[0]:
| Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3,
| 1.2.0, and other versions allows remote attackers to cause a denial of
| service (crash) and possibly execute arbitrary code via unknown
| vectors.
This is already fixed in debian unstable.
Please coordinate with the security team (team@security.debian.org) to
prepare packages for the stable and oldstable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3575
http://security-tracker.debian.net/tracker/CVE-2009-3575
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrXET8ACgkQNxpp46476aqpIACdGwJaJcOsmW7L88qDBPK/fczw
LC4An2Sk0eMCR+ztgGwI/3dTkv8vunod
=JWV0
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Patrick Ruckstuhl <patrick@tario.org>:
Bug#551070; Package aria2.
(Thu, 15 Oct 2009 16:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Ruckstuhl <patrick@tario.org>.
(Thu, 15 Oct 2009 16:00:06 GMT) (full text, mbox, link).
Message #10 received at 551070@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Patch:
http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/src/DHTRoutingTableDeserializer.cc?r1=670&r2=1041
Cheers,
Giuseppe.
[signature.asc (application/pgp-signature, attachment)]
Bug Marked as fixed in versions 1.2.0-1.
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org.
(Fri, 16 Oct 2009 11:18:20 GMT) (full text, mbox, link).
Reply sent
to Kartik Mistry <kartik@debian.org>:
You have taken responsibility.
(Sun, 03 Jan 2010 02:03:03 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sun, 03 Jan 2010 02:03:03 GMT) (full text, mbox, link).
Message #17 received at 551070-close@bugs.debian.org (full text, mbox, reply):
Source: aria2
Source-Version: 0.14.0-1+lenny1
We believe that the bug you reported is fixed in the latest version of
aria2, which is due to be installed in the Debian FTP archive:
aria2_0.14.0-1+lenny1.diff.gz
to main/a/aria2/aria2_0.14.0-1+lenny1.diff.gz
aria2_0.14.0-1+lenny1.dsc
to main/a/aria2/aria2_0.14.0-1+lenny1.dsc
aria2_0.14.0-1+lenny1_i386.deb
to main/a/aria2/aria2_0.14.0-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 551070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kartik Mistry <kartik@debian.org> (supplier of updated aria2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 24 Dec 2009 23:45:29 +0530
Source: aria2
Binary: aria2
Architecture: source i386
Version: 0.14.0-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Patrick Ruckstuhl <patrick@tario.org>
Changed-By: Kartik Mistry <kartik@debian.org>
Description:
aria2 - High speed download utility
Closes: 551070
Changes:
aria2 (0.14.0-1+lenny1) stable-security; urgency=high
.
* Security upload.
* src/DHTRoutingTableDeserializer.cc, src/array_fun.h:
+ Fixed buffer overflow which allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via unknown vectors.
Many thanks to Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> for patch and
Steffen Joeris <steffen.joeris@skolelinux.de> for help.
CVE-2009-3575 (Closes: #551070)
Checksums-Sha1:
4ff6071484ac87c9277759a63885dd7c2a3fb6a7 1102 aria2_0.14.0-1+lenny1.dsc
f035f89f1611526a63b8ed7039b294100e7518ad 1343630 aria2_0.14.0.orig.tar.gz
4c4d913827f42a3d5136d1d0a99645a17458fed0 20698 aria2_0.14.0-1+lenny1.diff.gz
5caf46e1c473fcf259952ee744c5f3239c92bfe7 1059854 aria2_0.14.0-1+lenny1_i386.deb
Checksums-Sha256:
a6806218afb1643d9117da40ce69984a2978b1f255c6ad7f2e34b56109203f9f 1102 aria2_0.14.0-1+lenny1.dsc
876cd357c0e475600d27d190048c49652bdd4d3372644bc719b54b069acc9928 1343630 aria2_0.14.0.orig.tar.gz
eaac27d9ed9dc5cfd0c15241355593693339f3bb3fddd8e7e80c449584c6319d 20698 aria2_0.14.0-1+lenny1.diff.gz
4430e9958166cdccccc312e3d9bec5d4bc2b753c9d5a9f5e9d410cc4f7c2a5a3 1059854 aria2_0.14.0-1+lenny1_i386.deb
Files:
eec49435dff989725e33c563b196460a 1102 net optional aria2_0.14.0-1+lenny1.dsc
ae853240ee88e373a138021613e28cb1 1343630 net optional aria2_0.14.0.orig.tar.gz
849ab814910b27bcceb43f70289deecf 20698 net optional aria2_0.14.0-1+lenny1.diff.gz
231c131054416daf24647fbe0f3253d3 1059854 net optional aria2_0.14.0-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks3Tm4ACgkQ62zWxYk/rQd2wgCglN5fZgUn1cT64tUXn6Bjw6CU
854AoMb4LdlHH3zRLRi809Y+2yotVqFl
=VPnH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Jan 2010 07:38:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:23:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon