Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2010-1513

Related Vulnerabilities: CVE-2010-1513  

Source

Debian Bug report logs - #584933
CVE-2010-1513

version graph

Package: ziproxy; Maintainer for ziproxy is Marcos Talau <talau@users.sourceforge.net>; Source for ziproxy is src:ziproxy (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 7 Jun 2010 16:21:05 UTC

Severity: grave

Tags: security

Fixed in version ziproxy/3.1.0-1

Done: Marcos Talau <talau@users.sourceforge.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marcos Talau <marcostalau@gmail.com>:
Bug#584933; Package ziproxy. (Mon, 07 Jun 2010 16:21:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Marcos Talau <marcostalau@gmail.com>. (Mon, 07 Jun 2010 16:21:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-1513
Date: Mon, 07 Jun 2010 18:18:53 +0200
Package: ziproxy
Severity: grave
Tags: security

Hi,
the following security has been reported against ziproxy:

CVE-2010-1513

Multiple integer overflows in src/image.c in Ziproxy before 3.0.1
allow remote attackers to execute arbitrary code via (1) a large JPG
image, related to the jpg2bitmap function or (2) a large PNG image,
related to the png2bitmap function, leading to heap-based buffer
overflows.

This is fixed in 3.0.1.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages ziproxy depends on:
ii  libc6                   2.10.2-9         Embedded GNU C Library: Shared lib
ii  libgif4                 4.1.6-9          library for GIF images (library)
ii  libjasper1              1.900.1-7        The JasPer JPEG-2000 runtime libra
ii  libjpeg62               6b-16.1          The Independent JPEG Group's JPEG 
ii  libpng12-0              1.2.43-1         PNG library - runtime
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

ziproxy recommends no packages.

ziproxy suggests no packages.

Reply sent to Marcos Talau <talau@users.sourceforge.net>:
You have taken responsibility. (Sun, 13 Jun 2010 15:39:10 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 13 Jun 2010 15:39:10 GMT) (full text, mbox, link).

Message #10 received at 584933-close@bugs.debian.org (full text, mbox, reply):

From: Marcos Talau <talau@users.sourceforge.net>
To: 584933-close@bugs.debian.org
Subject: Bug#584933: fixed in ziproxy 3.1.0-1
Date: Sun, 13 Jun 2010 15:38:20 +0000
Source: ziproxy
Source-Version: 3.1.0-1

We believe that the bug you reported is fixed in the latest version of
ziproxy, which is due to be installed in the Debian FTP archive:

ziproxy_3.1.0-1.debian.tar.gz
  to main/z/ziproxy/ziproxy_3.1.0-1.debian.tar.gz
ziproxy_3.1.0-1.dsc
  to main/z/ziproxy/ziproxy_3.1.0-1.dsc
ziproxy_3.1.0-1_i386.deb
  to main/z/ziproxy/ziproxy_3.1.0-1_i386.deb
ziproxy_3.1.0.orig.tar.bz2
  to main/z/ziproxy/ziproxy_3.1.0.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584933@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcos Talau <talau@users.sourceforge.net> (supplier of updated ziproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Fri, 04 Jun 2010 17:50:03 -0300
Source: ziproxy
Binary: ziproxy
Architecture: source i386
Version: 3.1.0-1
Distribution: unstable
Urgency: low
Maintainer: Marcos Talau <talau@users.sourceforge.net>
Changed-By: Marcos Talau <talau@users.sourceforge.net>
Description: 
 ziproxy    - compressing HTTP proxy server
Closes: 581153 584933
Changes: 
 ziproxy (3.1.0-1) unstable; urgency=low
 .
   * New upstream release (LP: #569611) (Closes: #584933) [CVE-2010-1513]
   * Fixed bashisms in ziproxy_genhtml_stats.sh (Closes: #581153)
     - Thanks to Raphael Geissert.
   * Updated debian/copyright
   * debian/ziproxy.init:
     - Added Required-* $remote_fs
     - Now using pidfile option from daemon
   * User/group name now in debian/ziproxy.default
   * Removed patch for Russian man page
     - Upstream removed Russian man pages due to lack of maintainer
   * config.* is now updating with debhelper
   * Changed maintainer mail
Checksums-Sha1: 
 9de06086d6c79373e7c5e7c18cf880e4b3949adf 1557 ziproxy_3.1.0-1.dsc
 2bf70793c923e53b8a390626c180fa79ac337b14 260739 ziproxy_3.1.0.orig.tar.bz2
 3668fe6474aba4c08c392a7e68ffccec98cc6a5a 7772 ziproxy_3.1.0-1.debian.tar.gz
 ea8effe8b1095cafd4c12c7081b41bea897f0e78 124816 ziproxy_3.1.0-1_i386.deb
Checksums-Sha256: 
 03f9c23b8e485ed9fc0eb759cb67cf6c8fe1143ae32f38cf63c91d05c8356194 1557 ziproxy_3.1.0-1.dsc
 e92589172abc7a055467b66983ae65452f688760a0eea973cc09bf242d7d7206 260739 ziproxy_3.1.0.orig.tar.bz2
 dbb25343d5bf4662f63e79368412e04e754b2b65975e2fcac997c26192a6e35b 7772 ziproxy_3.1.0-1.debian.tar.gz
 04922c16c214e284af61168defef7387b51c46a143e904742be69ca5b60c81f6 124816 ziproxy_3.1.0-1_i386.deb
Files: 
 9ebfe4915e8a3668eb0f558c887762d0 1557 net extra ziproxy_3.1.0-1.dsc
 571fefc39835f0dac571447862d28df0 260739 net extra ziproxy_3.1.0.orig.tar.bz2
 f3878732ef7534ff05dd8c12243bde4e 7772 net extra ziproxy_3.1.0-1.debian.tar.gz
 0c953757b0b0f0e0dcf5046cbfa05ad7 124816 net extra ziproxy_3.1.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAwAGBQJMFOVSAAoJEOGDbms1cuRhevAH/jyz2dFAu1+zt8rhlSr54TNX
METwBt9acukqc2FwN7NT9noo3CXbLUXWufWfOiK8fVzS+ya6l3rMrWK3CCOgQuMd
EyoNI2kwa72H/XT2d1CW4eJ6rYrHvrTX6EfTGY7iDxyNFRU4a59qSlYMsQyV2xgW
kyyWvh4ELCqmDs+3rXxEKeyUdS37WSIjCBsaDEFO7VK1ShPHJ7WK1zJurwpbBa4l
429c5fFmkZXeObFOte42LWC/DbdSiZT5Du4nCXqizRs00PrzdPDarSmqHo0l0gs7
w29K0BvFwla93Rj7yO8aKcXQMa4iuC87Bu8HWFzTipRH3UOgPbdLuLv9UzRrt+Y=
=DcpM
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:35:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:05:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started