CVE-2009-0689: remote array overrun

Debian Bug report logs - #559265
CVE-2009-0689: remote array overrun

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-0689: remote array overrun

Date: Thu, 03 Dec 2009 09:17:39 +0100

Package: kdelibs
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs.

CVE-2009-0689[0]:
| The gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc in
| FreeBSD 6.4 and 7.2, NetBSD 5.0, and OpenBSD 4.5, and as used in
| K-Meleon 1.5.3, SeaMonkey 1.1.8, and possibly other products; and  allows
| context-dependent attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a large precision
| value in the format argument to a printf function, related to an
| "array overrun."


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689
    http://security-tracker.debian.org/tracker/CVE-2009-0689
    Patch: http://websvn.kde.org/branches/KDE/4.3/kdelibs/kjs/dtoa.cpp?r1=1052100&r2=1052099&pathrev=1052100

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksXdCAACgkQNxpp46476aoAFQCfcVSi8/FMB1hTSoo8u3WbaS/p
l60AnjmZX31dSO8QB2hCsDP/EvRlCluA
=2TCu
-----END PGP SIGNATURE-----

Message #10 received at 559265-close@bugs.debian.org (full text, mbox, reply):

From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>

To: 559265-close@bugs.debian.org

Subject: Bug#559265: fixed in kdelibs 4:3.5.10.dfsg.1-3

Date: Mon, 04 Jan 2010 19:03:45 +0000

Source: kdelibs
Source-Version: 4:3.5.10.dfsg.1-3

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.10.dfsg.1-3_all.deb
  to main/k/kdelibs/kdelibs-data_3.5.10.dfsg.1-3_all.deb
kdelibs-dbg_3.5.10.dfsg.1-3_amd64.deb
  to main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-3_amd64.deb
kdelibs4-dev_3.5.10.dfsg.1-3_amd64.deb
  to main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-3_amd64.deb
kdelibs4-doc_3.5.10.dfsg.1-3_all.deb
  to main/k/kdelibs/kdelibs4-doc_3.5.10.dfsg.1-3_all.deb
kdelibs4c2a_3.5.10.dfsg.1-3_amd64.deb
  to main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-3_amd64.deb
kdelibs_3.5.10.dfsg.1-3.diff.gz
  to main/k/kdelibs/kdelibs_3.5.10.dfsg.1-3.diff.gz
kdelibs_3.5.10.dfsg.1-3.dsc
  to main/k/kdelibs/kdelibs_3.5.10.dfsg.1-3.dsc
kdelibs_3.5.10.dfsg.1-3_all.deb
  to main/k/kdelibs/kdelibs_3.5.10.dfsg.1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Jan 2010 18:32:06 +0100
Source: kdelibs
Binary: kdelibs kdelibs-data kdelibs4c2a kdelibs4-dev kdelibs4-doc kdelibs-dbg
Architecture: source all amd64
Version: 4:3.5.10.dfsg.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 556564 559265
Changes: 
 kdelibs (4:3.5.10.dfsg.1-3) unstable; urgency=high
 .
   +++ Changes by Scott Kitterman (patches from Kubuntu):
 .
   * SECURITY UPDATE: fix buffer overflow when converting string to float.
     - debian/patches/CVE-2009-0689.diff: adjust Kmax to handle large field
       numbers in kjs/dtoa.cpp (Closes: #559265)
     - CVE-2009-0689
   * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability.
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
   * Fix FTBFS with gcc 4.4.
    - Add debian/patches/gcc4.4_ftbfs.diff (Closes: #556564)
   * Update Vcs* in debian/control for new location.
 .
   +++ Changes by Ana Beatriz Guerrero Lopez:
 .
   * Add a depend on ${shlibs:Depends} to kdelibs5-dev to make lintian happy.
   * Remove Sune from Uploaders per his request.
   * Update Armin and Modestas emails.
Checksums-Sha1: 
 a4637bf1f4ac44ed68da85a9630c9cf98dcb5c91 2216 kdelibs_3.5.10.dfsg.1-3.dsc
 8277a9c5e49eae9d16a82c0064f2dee613b24534 659276 kdelibs_3.5.10.dfsg.1-3.diff.gz
 8bb95e397adf158f941cac0496634b813e3b90e0 30624 kdelibs_3.5.10.dfsg.1-3_all.deb
 dbcca14831cda9ea91faf012102a6653c0c10045 8684756 kdelibs-data_3.5.10.dfsg.1-3_all.deb
 1016e3f6b95c12106251027e301d49387f9bb965 26203434 kdelibs4-doc_3.5.10.dfsg.1-3_all.deb
 53d5ee77b9bbc9d6d713139dfdd670035e741994 11081576 kdelibs4c2a_3.5.10.dfsg.1-3_amd64.deb
 33a5e4661e7341577e7a8e87f8bf98e2a5d680ab 1450462 kdelibs4-dev_3.5.10.dfsg.1-3_amd64.deb
 bb6711100910d0462588061408d5cd4d4ab7008e 27204292 kdelibs-dbg_3.5.10.dfsg.1-3_amd64.deb
Checksums-Sha256: 
 f1f09a5e676349e89b010e87abb6bb95acd2a76a20033dc2c64f496a70d8c531 2216 kdelibs_3.5.10.dfsg.1-3.dsc
 068345a1a3a49f2c7e8deca13d296fb88dd8d609866286953c31744ecd99b27e 659276 kdelibs_3.5.10.dfsg.1-3.diff.gz
 812393b648d862de4373fceeed96bfa95b4cd535dbe6c92d4f12168d8da9f750 30624 kdelibs_3.5.10.dfsg.1-3_all.deb
 f095bf03950b71cb61751ee1e2a8ca4ba9b68ad51fdcbfbfb9013ee190ddcd36 8684756 kdelibs-data_3.5.10.dfsg.1-3_all.deb
 26b671c47f335800012bafaf2dd8e85b83e5b10ada5e1b528d0b7f38786c8f8c 26203434 kdelibs4-doc_3.5.10.dfsg.1-3_all.deb
 bf8a88e4d0f5bb990ad4ada3546e4daa30a36fb57dee34573067f46080256c83 11081576 kdelibs4c2a_3.5.10.dfsg.1-3_amd64.deb
 431beb3366fb49f12e0c46a3ee1bcd7adb0270bed16184a8bf5b1938d284b69f 1450462 kdelibs4-dev_3.5.10.dfsg.1-3_amd64.deb
 c7dcbb57fe2b03d5b0cd62173f208e9c49f130305c45751dfd6bcdf4acac1f3d 27204292 kdelibs-dbg_3.5.10.dfsg.1-3_amd64.deb
Files: 
 83bb815571aade5cd1a0824e64bbca60 2216 libs optional kdelibs_3.5.10.dfsg.1-3.dsc
 b4388720f20495326a4dce83ef4b022e 659276 libs optional kdelibs_3.5.10.dfsg.1-3.diff.gz
 dd3f5a9812fcade5fa04d707038da8fc 30624 libs optional kdelibs_3.5.10.dfsg.1-3_all.deb
 e67df5cd348efc1f034b6594b1fd10e5 8684756 libs optional kdelibs-data_3.5.10.dfsg.1-3_all.deb
 9c51088abe70a295e9bb2786fcaaa62a 26203434 doc optional kdelibs4-doc_3.5.10.dfsg.1-3_all.deb
 11bc40bb76ea42c58dfb7c6d9b7e3b8b 11081576 libs optional kdelibs4c2a_3.5.10.dfsg.1-3_amd64.deb
 d267c3a1c9a79f192b2f642833cc7bcd 1450462 libdevel optional kdelibs4-dev_3.5.10.dfsg.1-3_amd64.deb
 c9fd9dc0eacfa5a9d531d32362de88a2 27204292 libdevel extra kdelibs-dbg_3.5.10.dfsg.1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Signed by Ana Guerrero

iEYEARECAAYFAktCNRMACgkQn3j4POjENGG/mgCcCXLQd6CY+mZzvGEGd5t55uoM
bMoAniULTaHmcqzjbKtv22VHNydK5mp+
=WTTA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.