Debian Bug report logs -
#572946
qutecom: multiple vulnerabilities
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#572946
; Package qutecom
.
(Sun, 07 Mar 2010 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Mar 2010 19:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qutecom
Version: 2.2~rc3.hg396~dfsg1-5+b1
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for pidgin. Since qutecom embeds libpurple, it may also be
affected. I have not checked this myself, so please do so, and close
the bug if you find the package to be not affected.
CVE-2010-0423[0]:
| gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a
| denial of service (CPU consumption and application hang) by sending
| many smileys in a (1) IM or (2) chat.
CVE-2010-0420[1]:
| libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user
| chat (MUC) room is used, does not properly parse nicknames containing
| <br> sequences, which allows remote attackers to cause a denial of
| service (application crash) via a crafted nickname.
CVE-2010-0277[2]:
| slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6,
| including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a
| denial of service (memory corruption and application crash) or
| possibly have unspecified other impact via a malformed MSNSLP INVITE
| request in an SLP message, a different issue than CVE-2010-0013.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
http://security-tracker.debian.org/tracker/CVE-2010-0423
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
http://security-tracker.debian.org/tracker/CVE-2010-0420
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
http://security-tracker.debian.org/tracker/CVE-2010-0277
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#572946
; Package qutecom
.
(Mon, 08 Mar 2010 15:18:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Ludovico Cavedon <cavedon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Mon, 08 Mar 2010 15:18:11 GMT) (full text, mbox, link).
Message #10 received at 572946@bugs.debian.org (full text, mbox, reply):
package qutecom
tags 572946 + confirmed
forwarded 572946 http://trac.qutecom.org/ticket/195
thanks
Michael Gilbert wrote:
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for pidgin. Since qutecom embeds libpurple, it may also be
> affected. I have not checked this myself, so please do so, and close
> the bug if you find the package to be not affected.
Yes, these CVEs affect qutecom, thanks for reporting them.
I will try and see if I get a stable version of qutecom (except segfault
at exit) working with the external libpurple.
Thanks,
Ludovico
Added tag(s) confirmed.
Request was from Ludovico Cavedon <cavedon@debian.org>
to control@bugs.debian.org
.
(Mon, 08 Mar 2010 15:18:13 GMT) (full text, mbox, link).
Reply sent
to Ludovico Cavedon <cavedon@debian.org>
:
You have taken responsibility.
(Tue, 09 Mar 2010 22:06:20 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Tue, 09 Mar 2010 22:06:20 GMT) (full text, mbox, link).
Message #19 received at 572946-close@bugs.debian.org (full text, mbox, reply):
Source: qutecom
Source-Version: 2.2~rc3.hg396~dfsg1-6
We believe that the bug you reported is fixed in the latest version of
qutecom, which is due to be installed in the Debian FTP archive:
qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
to main/q/qutecom/qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
to main/q/qutecom/qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
qutecom_2.2~rc3.hg396~dfsg1-6.dsc
to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.dsc
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
to main/q/qutecom/wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 572946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated qutecom package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 09 Mar 2010 20:35:47 +0100
Source: qutecom
Binary: qutecom qutecom-data qutecom-dbg wengophone
Architecture: source all amd64
Version: 2.2~rc3.hg396~dfsg1-6
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description:
qutecom - SIP-based software telephone with video and chat features
qutecom-data - SIP-based software telephone with video and chat features (data f
qutecom-dbg - SIP-based software telephone with video and chat features (debug
wengophone - SIP-based software telephone with video and chat (transitional pa
Closes: 556311 559785 572946
Changes:
qutecom (2.2~rc3.hg396~dfsg1-6) unstable; urgency=low
.
* Add fix-binutils-gold.patch for building with binutils-gold.
Closes: #556311.
* Add libpurple-glib.patch and purple-wait-init.patch for fixing crash with
external liburple.
* Compile against external libpurple (CVE-2010-0423, CVE-2010-0420,
CVE-2010-0277). Closes: #559785, #572946.
* Update Standards-Version to 3.8.4.
Checksums-Sha1:
9237b8854b92ea5ec911eb07d43b12cfaf90bd2d 2028 qutecom_2.2~rc3.hg396~dfsg1-6.dsc
ee86486341c76ef7e11e1130ae9519f64e977a76 35968 qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
662d0c201d887dea5a77a07936ced9ef199d9c94 6401092 qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
5396d590fc7728c6ff73021e436b0d1fbaee7ca1 20182 wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
54fe8fdcc27abeb6868aca2cccbd7df9864a1b8c 2850174 qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
f5241b630e2cb457e4813b4310a402a8bb10277f 31185354 qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Checksums-Sha256:
f6b97c9c5a12ab516c716dd9d6317f02908cb203c46ca959b8eec3aeeae6c598 2028 qutecom_2.2~rc3.hg396~dfsg1-6.dsc
1751701be1910f2ae23d44bd9c57da2f3fa5de2265a2976b31da8fe288359752 35968 qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
7464674429e0d40bf56d0970db3f25413e3fcab067f41fe5389441ebfa62803b 6401092 qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
02b32336225301ef799e912ca7352331b6a40f4cbdded860dfe7bf90aad25069 20182 wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
96ae2dc0ba53d19577e560f0788a0255922aa341b3fb654af663fb3d3cc50cd0 2850174 qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
25bb1e5d985409dde589c2f850bc4b3ce38deba4ddd02a2fdb509fbb95b92df6 31185354 qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Files:
7290d07a7169639bad5aa96a7465993f 2028 net optional qutecom_2.2~rc3.hg396~dfsg1-6.dsc
8fa618b5f50e544de608c9965c2fecf7 35968 net optional qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
f1ac0ae50531ca29eb4ea74471085198 6401092 net optional qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
5397b77bb6f93a505fa549c4239fad14 20182 net optional wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
e971bca280f3360e5595d72f68928bfb 2850174 net optional qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
48845e7657b356b71dfdc92f888ea4d2 31185354 debug extra qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkuWuY8ACgkQCidatrS8pdfDpQCdEk5jNlBEhnie5bLK/vkcvNhf
IB4An2mu2RNQ4t4LxlXSgn9iHjeNskKe
=DZr3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 24 Jun 2010 07:38:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.