Debian Bug report logs -
#601525
plt-scheme embeds a vulnerable version of libgd 2.x
Reported by: Silvio Cesare <silvio.cesare@gmail.com>
Date: Wed, 27 Oct 2010 02:36:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in version plt-scheme/4.0.1-2
Fixed in version racket/5.0.2-1
Done: James Vega <jamessan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#601525; Package plt-scheme.
(Wed, 27 Oct 2010 02:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Silvio Cesare <silvio.cesare@gmail.com>:
New Bug report received and forwarded. Copy sent to Ari Pollak <ari@debian.org>.
(Wed, 27 Oct 2010 02:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: plt-scheme
Version: 4.0.1-2
Severity: important
Tags: security
plt-scheme embeds a vulnerable version of libgd 2.x and appears to have the
following present
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546. I have looked
at gd_gd.c and it appears the following patch has not been applied
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/gd/libgd/gd_gd.c?r1=289557&r2=289556&pathrev=289557.
There might be other CVEs which are relevant, but I have not investigated
further.
Ideally, plt-scheme could use the system wide gd library and not link in the
embedded copy.
[Message part 2 (text/html, inline)]
Added tag(s) fixed-upstream.
Request was from James Vega <jamessan@debian.org>
to control@bugs.debian.org.
(Sun, 06 Feb 2011 15:39:05 GMT) (full text, mbox, link).
Reply sent
to James Vega <jamessan@debian.org>:
You have taken responsibility.
(Wed, 20 Apr 2011 02:15:09 GMT) (full text, mbox, link).
Notification sent
to Silvio Cesare <silvio.cesare@gmail.com>:
Bug acknowledged by developer.
(Wed, 20 Apr 2011 02:15:09 GMT) (full text, mbox, link).
Message #12 received at 601525-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: racket
Source-Version: 5.0.2-1
This bug was closed by the recent upload, but we forgot to add the closes to
the changelog (or use the proper -v flag when building). Below are the
changelogs for the uploads.
racket (5.1+dfsg1-1) unstable; urgency=low
* New upstream version, plus DFSG compliance modifications.
+ Thanks to Eli Barzilay of the PLT Scheme team for making a big effort
of contacting people and updating licensing.
* Build with HOME=/nonexistant. This prevents collects installed in user
home directories from interfering with the build.
* Use parallel=n to control collects build parallelism.
-- David Bremner <bremner@debian.org> Thu, 31 Mar 2011 19:34:19 -0300
racket (5.0.2-1) experimental; urgency=low
[ David Bremner ]
* New Upsteam version (Closes: #592688)
+ Fix FTBFS on mips with recent GCC. (Closes: #598615)
[ James Vega ]
* Update watch file with new upstream URL.
* debian/rules:
+ Show which garbage collector the racket package was built with.
+ Use correct name for mzdyn based on which garbage collector was used.
-- James Vega <jamessan@debian.org> Fri, 19 Nov 2010 21:22:13 -0500
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 23 May 2011 07:34:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:35:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon