Debian Bug report logs -
#584933
CVE-2010-1513
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 7 Jun 2010 16:21:05 UTC
Severity: grave
Tags: security
Fixed in version ziproxy/3.1.0-1
Done: Marcos Talau <talau@users.sourceforge.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marcos Talau <marcostalau@gmail.com>
:
Bug#584933
; Package ziproxy
.
(Mon, 07 Jun 2010 16:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marcos Talau <marcostalau@gmail.com>
.
(Mon, 07 Jun 2010 16:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ziproxy
Severity: grave
Tags: security
Hi,
the following security has been reported against ziproxy:
CVE-2010-1513
Multiple integer overflows in src/image.c in Ziproxy before 3.0.1
allow remote attackers to execute arbitrary code via (1) a large JPG
image, related to the jpg2bitmap function or (2) a large PNG image,
related to the png2bitmap function, leading to heap-based buffer
overflows.
This is fixed in 3.0.1.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages ziproxy depends on:
ii libc6 2.10.2-9 Embedded GNU C Library: Shared lib
ii libgif4 4.1.6-9 library for GIF images (library)
ii libjasper1 1.900.1-7 The JasPer JPEG-2000 runtime libra
ii libjpeg62 6b-16.1 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.43-1 PNG library - runtime
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
ziproxy recommends no packages.
ziproxy suggests no packages.
Reply sent
to Marcos Talau <talau@users.sourceforge.net>
:
You have taken responsibility.
(Sun, 13 Jun 2010 15:39:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 13 Jun 2010 15:39:10 GMT) (full text, mbox, link).
Message #10 received at 584933-close@bugs.debian.org (full text, mbox, reply):
Source: ziproxy
Source-Version: 3.1.0-1
We believe that the bug you reported is fixed in the latest version of
ziproxy, which is due to be installed in the Debian FTP archive:
ziproxy_3.1.0-1.debian.tar.gz
to main/z/ziproxy/ziproxy_3.1.0-1.debian.tar.gz
ziproxy_3.1.0-1.dsc
to main/z/ziproxy/ziproxy_3.1.0-1.dsc
ziproxy_3.1.0-1_i386.deb
to main/z/ziproxy/ziproxy_3.1.0-1_i386.deb
ziproxy_3.1.0.orig.tar.bz2
to main/z/ziproxy/ziproxy_3.1.0.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584933@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marcos Talau <talau@users.sourceforge.net> (supplier of updated ziproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Fri, 04 Jun 2010 17:50:03 -0300
Source: ziproxy
Binary: ziproxy
Architecture: source i386
Version: 3.1.0-1
Distribution: unstable
Urgency: low
Maintainer: Marcos Talau <talau@users.sourceforge.net>
Changed-By: Marcos Talau <talau@users.sourceforge.net>
Description:
ziproxy - compressing HTTP proxy server
Closes: 581153 584933
Changes:
ziproxy (3.1.0-1) unstable; urgency=low
.
* New upstream release (LP: #569611) (Closes: #584933) [CVE-2010-1513]
* Fixed bashisms in ziproxy_genhtml_stats.sh (Closes: #581153)
- Thanks to Raphael Geissert.
* Updated debian/copyright
* debian/ziproxy.init:
- Added Required-* $remote_fs
- Now using pidfile option from daemon
* User/group name now in debian/ziproxy.default
* Removed patch for Russian man page
- Upstream removed Russian man pages due to lack of maintainer
* config.* is now updating with debhelper
* Changed maintainer mail
Checksums-Sha1:
9de06086d6c79373e7c5e7c18cf880e4b3949adf 1557 ziproxy_3.1.0-1.dsc
2bf70793c923e53b8a390626c180fa79ac337b14 260739 ziproxy_3.1.0.orig.tar.bz2
3668fe6474aba4c08c392a7e68ffccec98cc6a5a 7772 ziproxy_3.1.0-1.debian.tar.gz
ea8effe8b1095cafd4c12c7081b41bea897f0e78 124816 ziproxy_3.1.0-1_i386.deb
Checksums-Sha256:
03f9c23b8e485ed9fc0eb759cb67cf6c8fe1143ae32f38cf63c91d05c8356194 1557 ziproxy_3.1.0-1.dsc
e92589172abc7a055467b66983ae65452f688760a0eea973cc09bf242d7d7206 260739 ziproxy_3.1.0.orig.tar.bz2
dbb25343d5bf4662f63e79368412e04e754b2b65975e2fcac997c26192a6e35b 7772 ziproxy_3.1.0-1.debian.tar.gz
04922c16c214e284af61168defef7387b51c46a143e904742be69ca5b60c81f6 124816 ziproxy_3.1.0-1_i386.deb
Files:
9ebfe4915e8a3668eb0f558c887762d0 1557 net extra ziproxy_3.1.0-1.dsc
571fefc39835f0dac571447862d28df0 260739 net extra ziproxy_3.1.0.orig.tar.bz2
f3878732ef7534ff05dd8c12243bde4e 7772 net extra ziproxy_3.1.0-1.debian.tar.gz
0c953757b0b0f0e0dcf5046cbfa05ad7 124816 net extra ziproxy_3.1.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAwAGBQJMFOVSAAoJEOGDbms1cuRhevAH/jyz2dFAu1+zt8rhlSr54TNX
METwBt9acukqc2FwN7NT9noo3CXbLUXWufWfOiK8fVzS+ya6l3rMrWK3CCOgQuMd
EyoNI2kwa72H/XT2d1CW4eJ6rYrHvrTX6EfTGY7iDxyNFRU4a59qSlYMsQyV2xgW
kyyWvh4ELCqmDs+3rXxEKeyUdS37WSIjCBsaDEFO7VK1ShPHJ7WK1zJurwpbBa4l
429c5fFmkZXeObFOte42LWC/DbdSiZT5Du4nCXqizRs00PrzdPDarSmqHo0l0gs7
w29K0BvFwla93Rj7yO8aKcXQMa4iuC87Bu8HWFzTipRH3UOgPbdLuLv9UzRrt+Y=
=DcpM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Mar 2011 08:35:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:05:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.