Debian Bug report logs -
#656581
usbmuxd: buffer overflow introduced in 1.0.7 (CVE-2012-0065)
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 20 Jan 2012 09:54:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version usbmuxd/1.0.7-1
Fixed in version usbmuxd/1.0.7-2
Done: Julien Lavergne <julien.lavergne@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Julien Lavergne <julien.lavergne@gmail.com>:
Bug#656581; Package usbmuxd.
(Fri, 20 Jan 2012 09:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Julien Lavergne <julien.lavergne@gmail.com>.
(Fri, 20 Jan 2012 09:54:39 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: usbmuxd
Version: 1.0.7-1
Severity: grave
Tags: security patch upstream
Justification: user security hole
Hi,
a buffer overflow was introduced in usbmuxd 1.0.7. More information can
be found on various sources:
http://openwall.com/lists/oss-security/2012/01/19/25
https://secunia.com/advisories/47545/
https://bugs.gentoo.org/show_bug.cgi?id=399409
and a patch is available at
http://git.marcansoft.com/?p=usbmuxd.git;a=commit;
h=f794991993af56a74795891b4ff9da506bc893e6
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages usbmuxd depends on:
ii adduser 3.113
ii libc6 2.13-24
ii libplist1 1.8-1
ii libusb-1.0-0 2:1.0.9~rc3-3
ii libusbmuxd1 1.0.7-1
usbmuxd recommends no packages.
usbmuxd suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#656581; Package usbmuxd.
(Fri, 20 Jan 2012 22:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Lavergne <julien.lavergne@gmail.com>:
Extra info received and forwarded to list.
(Fri, 20 Jan 2012 22:03:05 GMT) (full text, mbox, link).
Message #10 received at 656581@bugs.debian.org (full text, mbox, reply):
Le 01/20/2012 10:51 AM, Yves-Alexis Perez a écrit :
> Package: usbmuxd
> Version: 1.0.7-1
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
>
> Hi,
>
> a buffer overflow was introduced in usbmuxd 1.0.7. More information can
> be found on various sources:
>
> http://openwall.com/lists/oss-security/2012/01/19/25
> https://secunia.com/advisories/47545/
> https://bugs.gentoo.org/show_bug.cgi?id=399409
>
> and a patch is available at
> http://git.marcansoft.com/?p=usbmuxd.git;a=commit;
> h=f794991993af56a74795891b4ff9da506bc893e6
>
> Regards,
Thanks, revision 1.0.7-2 with the upstream patch is available on mentors.
Regards,
Julien Lavergne
Information forwarded
to debian-bugs-dist@lists.debian.org, Julien Lavergne <julien.lavergne@gmail.com>:
Bug#656581; Package usbmuxd.
(Sat, 21 Jan 2012 08:18:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien Lavergne <julien.lavergne@gmail.com>.
(Sat, 21 Jan 2012 08:18:22 GMT) (full text, mbox, link).
Message #15 received at 656581@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On ven., 2012-01-20 at 22:59 +0100, Julien Lavergne wrote:
> Thanks, revision 1.0.7-2 with the upstream patch is available on
> mentors.
Does this mean you need one?
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#656581; Package usbmuxd.
(Sun, 22 Jan 2012 22:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Lavergne <julien.lavergne@gmail.com>:
Extra info received and forwarded to list.
(Sun, 22 Jan 2012 22:45:03 GMT) (full text, mbox, link).
Message #20 received at 656581@bugs.debian.org (full text, mbox, reply):
Le 01/21/2012 09:14 AM, Yves-Alexis Perez a écrit :
> On ven., 2012-01-20 at 22:59 +0100, Julien Lavergne wrote:
>> > Thanks, revision 1.0.7-2 with the upstream patch is available on
>> > mentors.
> Does this mean you need one?
Yes, my regular sponsor is not available, but I can do a proper RFS
tomorrow.
Regards,
Julien Lavergne
Information forwarded
to debian-bugs-dist@lists.debian.org, Julien Lavergne <julien.lavergne@gmail.com>:
Bug#656581; Package usbmuxd.
(Mon, 23 Jan 2012 10:32:26 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien Lavergne <julien.lavergne@gmail.com>.
(Mon, 23 Jan 2012 10:32:32 GMT) (full text, mbox, link).
Message #25 received at 656581@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On dim., 2012-01-22 at 23:43 +0100, Julien Lavergne wrote:
> Le 01/21/2012 09:14 AM, Yves-Alexis Perez a écrit :
> > On ven., 2012-01-20 at 22:59 +0100, Julien Lavergne wrote:
> >> > Thanks, revision 1.0.7-2 with the upstream patch is available on
> >> > mentors.
> > Does this mean you need one?
> Yes, my regular sponsor is not available, but I can do a proper RFS
> tomorrow.
Done. Note that:
W: usbmuxd source: out-of-date-standards-version 3.9.1.0 (current is
3.9.2)
You should use the latest number for the standards version, stick at the
minor one or you'll always be out-of-date.
Regards,
--
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Julien Lavergne <julien.lavergne@gmail.com>:
You have taken responsibility.
(Mon, 23 Jan 2012 10:51:04 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Mon, 23 Jan 2012 10:51:07 GMT) (full text, mbox, link).
Message #30 received at 656581-close@bugs.debian.org (full text, mbox, reply):
Source: usbmuxd
Source-Version: 1.0.7-2
We believe that the bug you reported is fixed in the latest version of
usbmuxd, which is due to be installed in the Debian FTP archive:
libusbmuxd-dev_1.0.7-2_amd64.deb
to main/u/usbmuxd/libusbmuxd-dev_1.0.7-2_amd64.deb
libusbmuxd1-dbg_1.0.7-2_amd64.deb
to main/u/usbmuxd/libusbmuxd1-dbg_1.0.7-2_amd64.deb
libusbmuxd1_1.0.7-2_amd64.deb
to main/u/usbmuxd/libusbmuxd1_1.0.7-2_amd64.deb
usbmuxd_1.0.7-2.debian.tar.gz
to main/u/usbmuxd/usbmuxd_1.0.7-2.debian.tar.gz
usbmuxd_1.0.7-2.dsc
to main/u/usbmuxd/usbmuxd_1.0.7-2.dsc
usbmuxd_1.0.7-2_amd64.deb
to main/u/usbmuxd/usbmuxd_1.0.7-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 656581@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Lavergne <julien.lavergne@gmail.com> (supplier of updated usbmuxd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 Jan 2012 22:49:38 +0100
Source: usbmuxd
Binary: usbmuxd libusbmuxd1 libusbmuxd-dev libusbmuxd1-dbg
Architecture: source amd64
Version: 1.0.7-2
Distribution: unstable
Urgency: high
Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Changed-By: Julien Lavergne <julien.lavergne@gmail.com>
Description:
libusbmuxd-dev - USB multiplexor daemon for iPhone and iPod Touch devices - devel
libusbmuxd1 - USB multiplexor daemon for iPhone and iPod Touch devices - librar
libusbmuxd1-dbg - USB multiplexor daemon for iPhone and iPod Touch devices - debug
usbmuxd - USB multiplexor daemon for iPhone and iPod Touch devices
Closes: 656581
Changes:
usbmuxd (1.0.7-2) unstable; urgency=high
.
* debian/control:
- Update Maintainer field, and add me to Uploaders.
- Update Vcs-*.
* debian/patches/90-cve-2012-0065.patch:
- From upstream, fix possible buffer overflow (CVE-2012-0065).
Closes: #656581
Checksums-Sha1:
886e596de9d4f012313da6d8809e234aeec1683c 2192 usbmuxd_1.0.7-2.dsc
09f8d4773cb2af9777dd2bc7b9a4fe1d95258771 6241 usbmuxd_1.0.7-2.debian.tar.gz
4d4e9d5ef6dda4771041e1f30ddc1b659a68f67b 38856 usbmuxd_1.0.7-2_amd64.deb
6bac1fb5e704904f468b4bd60adb2d00e267a4bb 14240 libusbmuxd1_1.0.7-2_amd64.deb
e36c43e6a92220c5a11e226f352bb75732cc3456 6028 libusbmuxd-dev_1.0.7-2_amd64.deb
c8a0af311aa6d614d408f13e1b1b413ca3a8e0fe 10368 libusbmuxd1-dbg_1.0.7-2_amd64.deb
Checksums-Sha256:
bab7e35118c984f60d11952fb1c226e4c7d58dea0fc4f2ae544ff3520874deab 2192 usbmuxd_1.0.7-2.dsc
aef9aab647e6e283435807000d5f521b9266ee40685562b9f052f45c72034098 6241 usbmuxd_1.0.7-2.debian.tar.gz
034625b023dafbec5b4695b685b10b38bd5724630fbe15b3f4f6721d9144cf3d 38856 usbmuxd_1.0.7-2_amd64.deb
e1c3906f9a0667ae382486d5b2fe341c977eeff45f4119c5addff0638f824feb 14240 libusbmuxd1_1.0.7-2_amd64.deb
0642c7f0ff16e66b156fbe9c152d827cd41b4981e82a1156b21fce5db5b672f2 6028 libusbmuxd-dev_1.0.7-2_amd64.deb
a539a638b1000ffb3e7a3f49ab73c73dd9e930a27ad4e4dccd1e120c38212e9a 10368 libusbmuxd1-dbg_1.0.7-2_amd64.deb
Files:
bea012d09511e07cbf6689d4b5e62d17 2192 utils optional usbmuxd_1.0.7-2.dsc
8db81c1e56ac8e7798ca1905a698ab59 6241 utils optional usbmuxd_1.0.7-2.debian.tar.gz
0aca46b67eb367e5fd8a65c0e9404bbb 38856 utils optional usbmuxd_1.0.7-2_amd64.deb
bd60898d9c268ab3b846429fea6c6a42 14240 libs optional libusbmuxd1_1.0.7-2_amd64.deb
6de168f8efc89312a130d872ab85f440 6028 libdevel optional libusbmuxd-dev_1.0.7-2_amd64.deb
1bdfd975b5e81f4a1f9c2141cdd1060a 10368 debug extra libusbmuxd1-dbg_1.0.7-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJPHTanAAoJEDBVD3hx7wuo7GgP/2tM9d5VHxZbFJ54j6tMezRp
H9KwpPwfLo0GQ8s6DlPnNU7O5PP0k0HRoys/QoNhmqnLoe3bwbpWh58xz8zcEy2p
t1KFOh7aly6muudep6j/McuAVIMo0oij6jkczhJVV+29BjxHVyR06byjp4tYAXLA
K6TAekA5I3y2TbhZbTzKlchUWhRM8gETN2qbq8WEQMDNkQOkUBnScQlzSLqr1Atz
PnZOIG3iFvNKpJD+TZieC2W95O8yQX7JqU8uMjzM+Gc1UNxJKtMLsr1Laubq4k5t
avRlqFShrQGro4NI5wzaNC6fotMKe5DhSqRhEi0y1ET1Kak9/8uG4ncbX4dqpNEF
wX3Q7VHKxpH9NVTKxYliH3zhofzTbc7nyJCLK8P2FIXrIoDsJ7Vl4fIFbQrtMEBV
MuCeSeENRsTma/u2yENwOsBNZwfLlpbRHJChfqA0Epv1WAsCQV2l1Rd4pIaGX6Xn
rzG0hOgacuqdgLrnLkxYmcIhY5DCNA5PIFcKrvSBSCoO9UAwL3s0aS3OQ2hvONOh
6lhn1akd2LsR0TTzIGGdQIC0YYzUnK0QpTedAj+4XHrvlg00BBdphbWbIqXvy2rO
zWh43ty0aWHvD6zZLi9HkCx57pXivVaqOU6VA7Vc9kE0RkVbu7vLrcDkR82vEI/T
CWjaN7yZ4zXI1vKvtvaP
=KI/f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Apr 2012 07:50:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:12:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon