Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

freeciv: CVE-2012-5645

Related Vulnerabilities: CVE-2012-5645   CVE-2012-6083  

Source

Debian Bug report logs - #696306
freeciv: CVE-2012-5645

version graph

Package: freeciv; Maintainer for freeciv is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for freeciv is src:freeciv (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 19 Dec 2012 07:09:01 UTC

Severity: important

Tags: security

Fixed in version freeciv/2.3.4-1

Done: Clint Adams <clint@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Wed, 19 Dec 2012 07:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 19 Dec 2012 07:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: freeciv: CVE-2012-5645
Date: Wed, 19 Dec 2012 08:02:52 +0100
Package: freeciv
Severity: important
Tags: security

Hi,
please see http://aluigi.altervista.org/adv/freecivet-adv.txt

Bug: http://gna.org/bugs/?20003

Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670

Please make an isolated upload with the security fix to unstable and
ask the release managers for an unblock by filing a bug against
release.debian.org

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Wed, 19 Dec 2012 11:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Marko Lindqvist <cazfi74@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 19 Dec 2012 11:42:03 GMT) (full text, mbox, link).

Message #10 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Marko Lindqvist <cazfi74@gmail.com>
To: 696306@bugs.debian.org
Subject: Re: Bug#696306: freeciv: CVE-2012-5645
Date: Wed, 19 Dec 2012 13:38:30 +0200
On 19 December 2012 09:02, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Package: freeciv
> Severity: important
> Tags: security
>
> Hi,
> please see http://aluigi.altervista.org/adv/freecivet-adv.txt

 That's two issues...

> Bug: http://gna.org/bugs/?20003

 ... reported in one freeciv ticket.

 That CVE is a bit unfortunate that it (currently) has description
containing both parts but fix provided is only one part. I think it's
quite likely that they will assign new CVE for the other half to sort
this out.

> Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670

 Patch from stable S2_3 branch (where 2.3.x releases come from):
http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672

 And the other fix not listed in CVE: trunk:
http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 /
S2_3: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703

> Please make an isolated upload with the security fix to unstable and
> ask the release managers for an unblock by filing a bug against
> release.debian.org
>
> Cheers,
>         Moritz


 - ML

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Wed, 02 Jan 2013 07:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 02 Jan 2013 07:39:06 GMT) (full text, mbox, link).

Message #15 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Marko Lindqvist <cazfi74@gmail.com>
Cc: 696306@bugs.debian.org
Subject: Re: Bug#696306: freeciv: CVE-2012-5645
Date: Wed, 2 Jan 2013 08:31:12 +0100
On Wed, Dec 19, 2012 at 01:38:30PM +0200, Marko Lindqvist wrote:
> On 19 December 2012 09:02, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > Package: freeciv
> > Severity: important
> > Tags: security
> >
> > Hi,
> > please see http://aluigi.altervista.org/adv/freecivet-adv.txt
> 
>  That's two issues...
> 
> > Bug: http://gna.org/bugs/?20003
> 
>  ... reported in one freeciv ticket.
> 
>  That CVE is a bit unfortunate that it (currently) has description
> containing both parts but fix provided is only one part. I think it's
> quite likely that they will assign new CVE for the other half to sort
> this out.
> 
> > Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670
> 
>  Patch from stable S2_3 branch (where 2.3.x releases come from):
> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672
> 
>  And the other fix not listed in CVE: trunk:
> http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 /
> S2_3: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703

FTR, the additional issue has been assigned CVE-2012-6083:
http://www.openwall.com/lists/oss-security/2012/12/31/2

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Wed, 06 Mar 2013 18:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 06 Mar 2013 18:09:06 GMT) (full text, mbox, link).

Message #20 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Marko Lindqvist <cazfi74@gmail.com>
Cc: 696306@bugs.debian.org
Subject: Re: Bug#696306: freeciv: CVE-2012-5645
Date: Wed, 6 Mar 2013 19:03:24 +0100
On Wed, Jan 02, 2013 at 08:31:12AM +0100, Moritz Muehlenhoff wrote:
> On Wed, Dec 19, 2012 at 01:38:30PM +0200, Marko Lindqvist wrote:
> > On 19 December 2012 09:02, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > > Package: freeciv
> > > Severity: important
> > > Tags: security
> > >
> > > Hi,
> > > please see http://aluigi.altervista.org/adv/freecivet-adv.txt
> > 
> >  That's two issues...
> > 
> > > Bug: http://gna.org/bugs/?20003
> > 
> >  ... reported in one freeciv ticket.
> > 
> >  That CVE is a bit unfortunate that it (currently) has description
> > containing both parts but fix provided is only one part. I think it's
> > quite likely that they will assign new CVE for the other half to sort
> > this out.
> > 
> > > Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670
> > 
> >  Patch from stable S2_3 branch (where 2.3.x releases come from):
> > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672
> > 
> >  And the other fix not listed in CVE: trunk:
> > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 /
> > S2_3: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703
> 
> FTR, the additional issue has been assigned CVE-2012-6083:
> http://www.openwall.com/lists/oss-security/2012/12/31/2

Freeciv maintainers,
it's been two months. Can you please upload a fixed package?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Wed, 06 Mar 2013 19:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to jacobn+debian@chiark.greenend.org.uk:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Wed, 06 Mar 2013 19:00:03 GMT) (full text, mbox, link).

Message #25 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Jacob Nevins <jacobn+debian@chiark.greenend.org.uk>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Marko Lindqvist <cazfi74@gmail.com>, 696306@bugs.debian.org
Subject: Re: Bug#696306: freeciv: CVE-2012-5645
Date: Wed, 6 Mar 2013 18:58:03 +0000
Moritz Muehlenhoff:
> Freeciv maintainers,
> it's been two months. Can you please upload a fixed package?

For the avoidance of doubt (sorry if you knew this):

No-one you've emailed directly is a Debian maintainer (Marko is
upstream).

We (upstream) made a new release fixing both CVE-2012-5645 and
CVE-2012-6083 on 8th Dec (2.3.3). Since then we've made another release
(2.3.4 on 16th Feb). See #699296 where I request that Debian take these
updates into at least unstable.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Sun, 14 Apr 2013 10:30:12 GMT) (full text, mbox, link).

Acknowledgement sent to Karl Goetz <karl@kgoetz.id.au>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Sun, 14 Apr 2013 10:30:12 GMT) (full text, mbox, link).

Message #30 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Karl Goetz <karl@kgoetz.id.au>
To: 696306@bugs.debian.org
Subject: Unable to assist at the moment
Date: Sun, 14 Apr 2013 20:26:51 +1000
Hi,
As the last uploader sorry about not getting involved in this. I am not currently about to commit to helping with this but now I have seen the bugs I will try and find time in the next few weeks. I appreciate this will be to late for the release.
Thanks,
Kk

Reply sent to Clint Adams <clint@debian.org>:
You have taken responsibility. (Sun, 28 Jul 2013 21:09:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sun, 28 Jul 2013 21:09:05 GMT) (full text, mbox, link).

Message #35 received at 696306-close@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <clint@debian.org>
To: 696306-close@bugs.debian.org
Subject: Bug#696306: fixed in freeciv 2.3.4-1
Date: Sun, 28 Jul 2013 21:04:25 +0000
Source: freeciv
Source-Version: 2.3.4-1

We believe that the bug you reported is fixed in the latest version of
freeciv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Clint Adams <clint@debian.org> (supplier of updated freeciv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jul 2013 15:40:34 -0400
Source: freeciv
Binary: freeciv-server freeciv-client-xaw3d freeciv-client-gtk freeciv-client-sdl freeciv-client-extras freeciv-data freeciv-sound-standard
Architecture: source all
Version: 2.3.4-1
Distribution: unstable
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Clint Adams <clint@debian.org>
Description: 
 freeciv-client-extras - Civilization turn based strategy game (miscellaneous extras)
 freeciv-client-gtk - Civilization turn based strategy game (GTK+ client)
 freeciv-client-sdl - Civilization turn based strategy game (SDL client)
 freeciv-client-xaw3d - Civilization turn based strategy game (Xaw3D client)
 freeciv-data - Civilization turn based strategy game (game data)
 freeciv-server - Civilization turn based strategy game (server files)
 freeciv-sound-standard - Civilization turn based strategy game (standard sound pack)
Closes: 696306 699296
Changes: 
 freeciv (2.3.4-1) unstable; urgency=low
 .
   * New upstream version.  closes: #699296.
     - Fixes CVE-2012-5645.  closes: #696306.
     - Fixes CVE-2012-6083.
   * Bump to Standards-Version 3.9.4.
Checksums-Sha1: 
 a0f7def6cf3806c6c4463bc590b04b2ca5d87293 2685 freeciv_2.3.4-1.dsc
 974bbadf86c697bd2d4de7abf12d992fb50f1724 31395893 freeciv_2.3.4.orig.tar.bz2
 bb056ac92447e71131d45a681eb4e792b8ddb078 23482 freeciv_2.3.4-1.debian.tar.gz
 a4a69b4980d902d3b68dabf7908b80edc2714763 13408882 freeciv-data_2.3.4-1_all.deb
 137f415b5916c7a173cafa28b17a6f4a5a3d8e1f 1327626 freeciv-sound-standard_2.3.4-1_all.deb
Checksums-Sha256: 
 6df9f0e434170cf26e9b49a86e6c392c1a5fe34c5c60a9051fc34467b8fb42be 2685 freeciv_2.3.4-1.dsc
 084c10c50c06166177c9864b5610eaf36dca3808e3d3a7da8ef7ae927d56c41c 31395893 freeciv_2.3.4.orig.tar.bz2
 b9d9a685d5af9f2bd9c1de599555b6c3a30b12e451868ce68b87b0ce17498e6a 23482 freeciv_2.3.4-1.debian.tar.gz
 fa1a3b9b57c2d6d5a92529287b10a8caaa4ab37c1678163217dc61845fab2d6e 13408882 freeciv-data_2.3.4-1_all.deb
 fe3a14868242b2e0ea19b8039bf105c15b9139451261d5bad0c6c47499060a7b 1327626 freeciv-sound-standard_2.3.4-1_all.deb
Files: 
 b521fca6437eb5e4d9103bd37a743c48 2685 games optional freeciv_2.3.4-1.dsc
 2a49c417ffedd54cf648adf1ddf707a9 31395893 games optional freeciv_2.3.4.orig.tar.bz2
 51e13b47814986522d4a8dddffc2f134 23482 games optional freeciv_2.3.4-1.debian.tar.gz
 1cbea0086e149667fe09a3d3c187ab65 13408882 games optional freeciv-data_2.3.4-1_all.deb
 8804b93fd4c61db248bb91dc30731f83 1327626 games optional freeciv-sound-standard_2.3.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Debian!

iQIcBAEBCgAGBQJR9XyrAAoJEFWSMx4ZnTioCGoP/1BtyMkucjEZdzhgg0LLp+Cd
swrj5uC9dTYMaA+UeadCZjcvtxyDTE2IwuYDdmAQNq3WPFYSKigm/1yIF3SQ4H24
l6CtQRCHKzfsnnF6tyP6Uz/zCGpxS09zyUuBsqz+4kN/yX+0h63gOsAWD2lpPI5D
lQMA/Ag1x0web3j/Xwfp5RZvUIMjPeksyaA6RPFjMR9TLaWiat3ui5mz2B+IKINj
bPS6A2udSM8FyHvMJHPNbQE9KYDUJRg49DnRM8LeI2TFyonB7acyqk9pJKHt/22u
qd4lMhLUzyzYZKi+JZWHP7q23JQuMms0M4ZMxoftfqKZgQLAEgBuybw7VFGkhrsh
AS+k7lTyh+KV95U8eyxT8CjMUsliz16zbSqtzEQXeJwC7hrz6BN3VDlyzJlsz9I3
XxfzdAxUw1JvFastIXfTpSPDdmceyMIxtuE5oihGW6Axr/+qycaajDMT6/5kvQPh
PTSOjyPmTbH+eQ3gRYZCqaxp18vLIVFUvZ3z8HN1aV7N/Gg37A33sZ1oIOiggSci
09rTb6YCwMfZsPn2L5TZTgSxjQw1vwD/K3jcQ22ethIDhkGvUZkS3jXT7UrT4/q+
m0kRrEmsQuZ2uThKKi0fktVF8bXyo1e0qEo6p9gbecXdX3vxs7KWjKlme5UMLDgc
+/L7kodabjeVlR1hVen5
=lLd7
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Games Team <pkg-games-devel@lists.alioth.debian.org>:
Bug#696306; Package freeciv. (Mon, 29 Jul 2013 11:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Games Team <pkg-games-devel@lists.alioth.debian.org>. (Mon, 29 Jul 2013 11:54:04 GMT) (full text, mbox, link).

Message #40 received at 696306@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>
To: 696306@bugs.debian.org
Subject: Re: freeciv: CVE-2012-5645
Date: Mon, 29 Jul 2013 11:15:02 -0000
Package: freeciv

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.8) - use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/696306/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Sep 2013 07:26:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:51:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started