CVE-2007-0999: still vulnerable to format string exploits

Debian Bug report logs - #414069
CVE-2007-0999: still vulnerable to format string exploits

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Debian Bugs <submit@bugs.debian.org>

Subject: CVE-2007-0999: still vulnerable to format string exploits

Date: Thu, 8 Mar 2007 17:27:09 -0800

[Message part 1 (text/plain, inline)]

Package: ekiga
Version: 2.0.3-4
Severity: grave
Tags: patch, security

Hello!  Unfortunately, it seems the upstream changes for CVE-2007-1006 
weren't sufficient to solve the problems.  Upstream is preparing 2.0.6 
to be released[1], but in the meantime, I've attached the patch I'm 
using in Ubuntu for 2.0.3.

[1] http://bugzilla.gnome.org/show_bug.cgi?id=415526

-- 
Kees Cook                                            @outflux.net

[51_fix-format-strings.dpatch (text/plain, attachment)]

Message #12 received at 414069-close@bugs.debian.org (full text, mbox, reply):

From: Loic Minier <lool@dooz.org>

To: 414069-close@bugs.debian.org

Subject: Bug#414069: fixed in ekiga 2.0.3-5

Date: Sat, 10 Mar 2007 08:47:05 +0000

Source: ekiga
Source-Version: 2.0.3-5

We believe that the bug you reported is fixed in the latest version of
ekiga, which is due to be installed in the Debian FTP archive:

ekiga_2.0.3-5.diff.gz
  to pool/main/e/ekiga/ekiga_2.0.3-5.diff.gz
ekiga_2.0.3-5.dsc
  to pool/main/e/ekiga/ekiga_2.0.3-5.dsc
ekiga_2.0.3-5_i386.deb
  to pool/main/e/ekiga/ekiga_2.0.3-5_i386.deb
gnomemeeting_2.0.3-5_all.deb
  to pool/main/e/ekiga/gnomemeeting_2.0.3-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 414069@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loic Minier <lool@dooz.org> (supplier of updated ekiga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Mar 2007 09:19:05 +0100
Source: ekiga
Binary: gnomemeeting ekiga
Architecture: source i386 all
Version: 2.0.3-5
Distribution: unstable
Urgency: high
Maintainer: Kilian Krause <kilian@debian.org>
Changed-By: Loic Minier <lool@dooz.org>
Description: 
 ekiga      - H.323 and SIP compatible VOIP client
 gnomemeeting - Dummy transition package of GnomeMeeting for Ekiga
Closes: 414069
Changes: 
 ekiga (2.0.3-5) unstable; urgency=high
 .
   * SECURITY: New dpatch, 51_fix-format-strings, supersedes dpatch
     20_CVE-2007-1006 and fixes additional insecure format strings;
     CVE-2007-1006 and CVE-2007-0999; GNOME #415526; thanks Kees Cook;
     closes: #414069.
Files: 
 d72ea0ff59944d8dcbd90ce51c35d98b 1734 gnome optional ekiga_2.0.3-5.dsc
 49b3669775750367b0db2cf358ab5bfc 19617 gnome optional ekiga_2.0.3-5.diff.gz
 efaf90010b05ab3475e2d6c48c7e31fd 5497922 gnome optional ekiga_2.0.3-5_i386.deb
 17bf20b79873ce15cc2504c981ed7167 142272 gnome optional gnomemeeting_2.0.3-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF8m4b4VUX8isJIMARAhiuAKCWVllEclVwH/5CiTknzYvyf589TACeLS5c
Rk8C/al19uc5/sdJ2Md1iGw=
=o5u/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.