Debian Bug report logs -
#424686
CVE-2007-1673: denial of service (infinite loop) in zoo and unzoo
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 16 May 2007 19:18:01 UTC
Severity: grave
Tags: patch, security
Found in versions zoo/2.10-18, zoo/2.10-11sarge0
Fixed in version zoo/2.10-19
Done: Jose Carlos Medeiros <debian@psabs.com.br>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jose Carlos Medeiros <debian@psabs.com.br>
:
Bug#424686
; Package zoo
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jose Carlos Medeiros <debian@psabs.com.br>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zoo
Version: 2.10-18
Severity: grave
Tags: security patch
Justification: user security hole
>From CVE-2007-1673:
"unzoo.c allows remote attackers to cause a denial of service (infinite
loop) via a ZOO archive with a direntry structure that points to a
previous file."
Severity grave becaus zoo might be used by virus scanners:
zoo is suggested by amavisd-new.
unzoo is recommended by clamav.
PoC exploit is at [1]
Patch for zoo is at [2]
Please mention the CVE id in the changelog.
[1] http://www.sfritsch.de/CVE-2007-1673.zoo
[2] http://archives.neohapsis.com/archives/bugtraq/2007-05/0046.html
Bug 424686 cloned as bug 424690.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Wed, 16 May 2007 19:30:02 GMT) (full text, mbox, link).
Bug marked as found in version 2.10-11sarge0.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Wed, 16 May 2007 19:30:08 GMT) (full text, mbox, link).
Tags added: pending
Request was from "Jose Carlos Medeiros" <jose@psabs.com.br>
to control@bugs.debian.org
.
(Fri, 18 May 2007 18:06:06 GMT) (full text, mbox, link).
Reply sent to Jose Carlos Medeiros <debian@psabs.com.br>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #16 received at 424686-close@bugs.debian.org (full text, mbox, reply):
Source: zoo
Source-Version: 2.10-19
We believe that the bug you reported is fixed in the latest version of
zoo, which is due to be installed in the Debian FTP archive:
zoo_2.10-19.diff.gz
to pool/main/z/zoo/zoo_2.10-19.diff.gz
zoo_2.10-19.dsc
to pool/main/z/zoo/zoo_2.10-19.dsc
zoo_2.10-19_i386.deb
to pool/main/z/zoo/zoo_2.10-19_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 424686@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jose Carlos Medeiros <debian@psabs.com.br> (supplier of updated zoo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 18 May 2007 14:32:12 -0300
Source: zoo
Binary: zoo
Architecture: source i386
Version: 2.10-19
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Medeiros <debian@psabs.com.br>
Changed-By: Jose Carlos Medeiros <debian@psabs.com.br>
Description:
zoo - manipulate zoo archives
Closes: 424686
Changes:
zoo (2.10-19) unstable; urgency=low
.
* Bump Standards-Version: 3.7.2.
* Added Homepage in debian/control.
* Added patch to solve "CVE-2007-1673: denial of service (infinite loop)",
thanks to Jean-Sébastien Guay-Lerou <jean-sebastie@nguay-leroux.com>.
(Closes: #424686)
Files:
7eab7de8eb37505b1775c33fa4e8f76e 617 utils optional zoo_2.10-19.dsc
8dc4b5df78b71a06d14335377b40db77 13242 utils optional zoo_2.10-19.diff.gz
1545c7dc273a3ca9e32fc6e028e5ab33 61248 utils optional zoo_2.10-19_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGT3kuGKGxzw/lPdkRAml6AKCV7P0OW/g0CwJzHTtW4njQNeqLRQCeODJu
O9zzPj3CQL2d8WwRxPyzE+Y=
=R+8u
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 07 Jul 2007 08:04:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:37:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.