Debian Bug report logs -
#574418
barnowl: CVE-2010-0793 buffer overflow
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Thu, 18 Mar 2010 02:33:01 UTC
Severity: grave
Tags: security
Found in versions barnowl/1.0.1-4, barnowl/1.5-1
Fixed in versions barnowl/1.5.1-1, barnowl/1.0.1-4+lenny1
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#574418
; Package barnowl
.
(Thu, 18 Mar 2010 02:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Thu, 18 Mar 2010 02:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: barnowl
Version: 1.0.1-4
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for barnowl.
CVE-2010-0793[0]:
| Buffer overflow in BarnOwl before 1.5.1 allows remote attackers to
| cause a denial of service (crash) and possibly execute arbitrary code
| via a crafted CC: header.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0793
http://security-tracker.debian.org/tracker/CVE-2010-0793
Bug Marked as found in versions barnowl/1.5-1.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org
.
(Thu, 18 Mar 2010 12:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#574418
; Package barnowl
.
(Thu, 18 Mar 2010 17:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>
:
Extra info received and forwarded to list.
(Thu, 18 Mar 2010 17:48:03 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
Thanks for the note.
Obviously I'll upload new packages.
I'm suspecting that this probably can't be used to execute arbitrary
code in unstable and testing because barnowl there is built with
fortify_source and stack protector. However stable is too old for that.
--Sam
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#574418
; Package barnowl
.
(Thu, 18 Mar 2010 17:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>
:
Extra info received and forwarded to list.
(Thu, 18 Mar 2010 17:48:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#574418
; Package barnowl
.
(Sat, 27 Mar 2010 04:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Sat, 27 Mar 2010 04:42:03 GMT) (full text, mbox, link).
Message #22 received at 574418@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Sam
Could you prepare updated packages for lenny and send a debdiff? We'll need to
release a DSA for this issue.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Sam Hartman <hartmans@debian.org>
:
You have taken responsibility.
(Tue, 06 Apr 2010 04:21:14 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Tue, 06 Apr 2010 04:21:14 GMT) (full text, mbox, link).
Message #27 received at 574418-close@bugs.debian.org (full text, mbox, reply):
Source: barnowl
Source-Version: 1.5.1-1
We believe that the bug you reported is fixed in the latest version of
barnowl, which is due to be installed in the Debian FTP archive:
barnowl_1.5.1-1.diff.gz
to main/b/barnowl/barnowl_1.5.1-1.diff.gz
barnowl_1.5.1-1.dsc
to main/b/barnowl/barnowl_1.5.1-1.dsc
barnowl_1.5.1-1_i386.deb
to main/b/barnowl/barnowl_1.5.1-1_i386.deb
barnowl_1.5.1.orig.tar.gz
to main/b/barnowl/barnowl_1.5.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 574418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated barnowl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 05 Apr 2010 16:33:43 -0400
Source: barnowl
Binary: barnowl
Architecture: source i386
Version: 1.5.1-1
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
barnowl - A curses-based tty Jabber, IRC, AIM and Zephyr client
Closes: 574418
Changes:
barnowl (1.5.1-1) unstable; urgency=low
.
* New upstream release, including solution to cve-2010-0793, Closes:
#574418
Checksums-Sha1:
efaafa78adfee43622c705e157d9f8b84d8a8558 1262 barnowl_1.5.1-1.dsc
e5c80301c6376d59827b7b800a7d405a6537481b 826453 barnowl_1.5.1.orig.tar.gz
9cc20c69f67c455e2e7fa57c93e2791ed17bde0d 5738 barnowl_1.5.1-1.diff.gz
c5795b4193a1e27dbc4e0c61bca4771fdc65bc92 491696 barnowl_1.5.1-1_i386.deb
Checksums-Sha256:
2511654a7c4a7fb8a3b45ec5c8a267a0935937cdc87f3c205802516a1d69919b 1262 barnowl_1.5.1-1.dsc
e25e9fcc52c9c25f964b21e5e35fe3b476bd1b2f2d2d50dcc9fc0084cd0b5168 826453 barnowl_1.5.1.orig.tar.gz
bf6a196254f29fe75b771f86eb0d7f8e00afd9841c7a0598fb190d44c4399e1e 5738 barnowl_1.5.1-1.diff.gz
c47fa473241b71f53cd05b0ad8da6bfd23f00c4ffff90ce8032296eb6fb8b6c6 491696 barnowl_1.5.1-1_i386.deb
Files:
078667bbe95d4a1a59f5dd2639158cb3 1262 net optional barnowl_1.5.1-1.dsc
a18a94cf4f3647e92d802104d2ed4baf 826453 net optional barnowl_1.5.1.orig.tar.gz
16db43bb6549233cbbab005e849e10ca 5738 net optional barnowl_1.5.1-1.diff.gz
401cf3ef3a72ab1f4ac45c0702732d63 491696 net optional barnowl_1.5.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAku6YMsACgkQ/I12czyGJg/dAQCdFL6qDli44k94m7ZFtDIaGeJG
pnUAoNJKVcLcntSMVU+ofawJeo1aHTiR
=uGUQ
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>
:
You have taken responsibility.
(Tue, 25 May 2010 01:57:03 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Tue, 25 May 2010 01:57:03 GMT) (full text, mbox, link).
Message #32 received at 574418-close@bugs.debian.org (full text, mbox, reply):
Source: barnowl
Source-Version: 1.0.1-4+lenny1
We believe that the bug you reported is fixed in the latest version of
barnowl, which is due to be installed in the Debian FTP archive:
barnowl-irc_1.0.1-4+lenny1_all.deb
to main/b/barnowl/barnowl-irc_1.0.1-4+lenny1_all.deb
barnowl_1.0.1-4+lenny1.diff.gz
to main/b/barnowl/barnowl_1.0.1-4+lenny1.diff.gz
barnowl_1.0.1-4+lenny1.dsc
to main/b/barnowl/barnowl_1.0.1-4+lenny1.dsc
barnowl_1.0.1-4+lenny1_i386.deb
to main/b/barnowl/barnowl_1.0.1-4+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 574418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated barnowl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 May 2010 20:04:06 +1000
Source: barnowl
Binary: barnowl barnowl-irc
Architecture: source all i386
Version: 1.0.1-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description:
barnowl - A curses-based tty Jabber and Zephyr client
barnowl-irc - Provide IRC support for the BarnOwl Zephyr client
Closes: 574418
Changes:
barnowl (1.0.1-4+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix buffer overflow in message.c (Closes: #574418)
Fixes: CVE-2010-0793
Checksums-Sha1:
b9cf5fb0ad911b76e3c31dae6b2269c8e46ea0df 1128 barnowl_1.0.1-4+lenny1.dsc
8ed96374577a35d7524779aa2087459e864f4e79 6186 barnowl_1.0.1-4+lenny1.diff.gz
2e6669872da8032ec461f0249ebeb8e0a9499bec 38992 barnowl-irc_1.0.1-4+lenny1_all.deb
621ede9cd199d40f4b9ce494a574104c0fd443d0 468636 barnowl_1.0.1-4+lenny1_i386.deb
Checksums-Sha256:
2145f2818ec6d7923ea8d57f17a6fc478a33917453490a38a2af57430191c9a4 1128 barnowl_1.0.1-4+lenny1.dsc
42386cde2830bd5cd0c7980072724c7a634e4f823f30bd978d2375ccdfa1ee72 6186 barnowl_1.0.1-4+lenny1.diff.gz
49ee6417f0aa75c0b8829c09229d923ae49f79f0df61d6a946fd54f8a12b0ff7 38992 barnowl-irc_1.0.1-4+lenny1_all.deb
5f7d1a93f865fd9b55e8ced8adfd92d9e708e85835c23c766fdb03caca7fdf19 468636 barnowl_1.0.1-4+lenny1_i386.deb
Files:
c005716429cc93f9aa13ecc32e9a83a8 1128 net optional barnowl_1.0.1-4+lenny1.dsc
431a62342081785abeac1d6f27cca56e 6186 net optional barnowl_1.0.1-4+lenny1.diff.gz
662b9a48a4daf355222980b4b77e1dfe 38992 net extra barnowl-irc_1.0.1-4+lenny1_all.deb
b4d0478d392975c7c10bf1bc5a8db665 468636 net optional barnowl_1.0.1-4+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvn3TcACgkQ62zWxYk/rQeEdgCghIlk0CJD2ZxMvj7vxD9E1YWg
Sc4AnjtZK5y/t8ZYtVT2Gcq4ChyNkq5X
=O8uW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 27 Jun 2010 07:33:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:35:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.