CVE-2007-6220: DoS

Debian Bug report logs - #454527
CVE-2007-6220: DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-6220: DoS

Date: Wed, 05 Dec 2007 23:27:05 +0100

Package: typespeed
Severity: normal

Hi

The following CVE[0] has been issued against typespeed.

CVE-2007-6220:

typespeed before 0.6.4 allows remote attackers to cause a denial of
service (application crash) via unspecified network behavior that
triggers a divide-by-zero error.

It seems that the new upstream version fixes this issue, so packaging it
should be enough.

Please also mention the CVE id in the changelog, when you fix this.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6220

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dafydd Harries <daf@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 454527@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#454527: CVE-2007-6220: DoS

Date: Thu, 6 Dec 2007 02:04:28 +0000

Ar 05/12/2007 am 23:27, ysgrifennodd Steffen Joeris:
> Package: typespeed
> Severity: normal
> 
> Hi
> 
> The following CVE[0] has been issued against typespeed.
> 
> CVE-2007-6220:
> 
> typespeed before 0.6.4 allows remote attackers to cause a denial of
> service (application crash) via unspecified network behavior that
> triggers a divide-by-zero error.
> 
> It seems that the new upstream version fixes this issue, so packaging it
> should be enough.
> 
> Please also mention the CVE id in the changelog, when you fix this.

I have a new upstream version mostly ready.

-- 
Dafydd

Message #22 received at 454527-close@bugs.debian.org (full text, mbox, reply):

From: Dafydd Harries <daf@debian.org>

To: 454527-close@bugs.debian.org

Subject: Bug#454527: fixed in typespeed 0.6.4-1

Date: Fri, 07 Dec 2007 05:32:04 +0000

Source: typespeed
Source-Version: 0.6.4-1

We believe that the bug you reported is fixed in the latest version of
typespeed, which is due to be installed in the Debian FTP archive:

typespeed_0.6.4-1.diff.gz
  to pool/main/t/typespeed/typespeed_0.6.4-1.diff.gz
typespeed_0.6.4-1.dsc
  to pool/main/t/typespeed/typespeed_0.6.4-1.dsc
typespeed_0.6.4-1_i386.deb
  to pool/main/t/typespeed/typespeed_0.6.4-1_i386.deb
typespeed_0.6.4.orig.tar.gz
  to pool/main/t/typespeed/typespeed_0.6.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 454527@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dafydd Harries <daf@debian.org> (supplier of updated typespeed package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Dec 2007 05:14:13 +0000
Source: typespeed
Binary: typespeed
Architecture: source i386
Version: 0.6.4-1
Distribution: unstable
Urgency: high
Maintainer: Dafydd Harries <daf@debian.org>
Changed-By: Dafydd Harries <daf@debian.org>
Description: 
 typespeed  - Zap words flying across the screen by typing them correctly
Closes: 355887 375136 454527
Changes: 
 typespeed (0.6.4-1) unstable; urgency=high
 .
   * New upstream release. Closes: #375136.
     - High priority due to fix for DoS attack. Closes: #454527
       (CVE-2007-6220).
     - Fixes segfault when $HOME is unset. Closes: #355887.
     - Adds Italian and French word lists, Dutch word file merged.
   * New upstream maintainer.
     - Update homepage URL, debian/copyright, debian/watch.
     - This version is not network-compatible with versions prior to 0.5.2.
     - Stricter network code.
     - Improved memory management.
   * High score file format has changed: install score conversion program to
     /usr/lib/typespeed and run it when package is configured.
   * postinst:
     - Remove obsolete score file backup/create/restore code.
     - Add code to upgrade score files to the new text-based format.
   * rules:
     - Update to new autotools build.
     - Put stamp files in debian/.
     - Support DEB_BUILD_OPTS=noopt.
   * Remove unnecessary debian/install.
   * Update man page installation.
   * Change menu file to Games/Action section as per new menu policy.
   * Bump to debhelper compat version 5.
   * Bump standards version to 3.7.3.
Files: 
 40671351293bdce0c7948bb49652f5dd 628 games optional typespeed_0.6.4-1.dsc
 fb55b92ad7e29a1a6a7a3e1ca383d5e2 250596 games optional typespeed_0.6.4.orig.tar.gz
 c78687ce718e10a267e8a515b0bb8219 6593 games optional typespeed_0.6.4-1.diff.gz
 265dcc2d56e456edb6449073fee419e5 74110 games optional typespeed_0.6.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHWNkcpD5tJxKCh+gRArpuAKC6hPXh4amdC0BI8wn0hABnt3LDPwCgvq1K
B/BaWkA1joCbN5HfZIiN4IU=
=G+/3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.