Debian Bug report logs -
#528510
cscope: CVE-2009-0148 multiple buffer overflows
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 13 May 2009 11:06:04 UTC
Severity: grave
Tags: security
Fixed in version cscope/15.7a-1
Done: Tobias Klauser <tklauser@distanz.ch>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Tobias Klauser <tklauser@distanz.ch>:
Bug#528510; Package cscope.
(Wed, 13 May 2009 11:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Tobias Klauser <tklauser@distanz.ch>.
(Wed, 13 May 2009 11:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cscope
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cscope.
CVE-2009-0148[0]:
| Multiple buffer overflows in Cscope before 15.7a allow remote
| attackers to execute arbitrary code via long strings in input such as
| (1) source-code tokens and (2) pathnames, related to integer overflows
| in some cases. NOTE: this issue exists because of an incomplete fix
| for CVE-2004-2541.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0148
http://security-tracker.debian.net/tracker/CVE-2009-0148
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Tobias Klauser <tklauser@distanz.ch>:
You have taken responsibility.
(Tue, 09 Jun 2009 12:36:07 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Tue, 09 Jun 2009 12:36:07 GMT) (full text, mbox, link).
Message #10 received at 528510-close@bugs.debian.org (full text, mbox, reply):
Source: cscope
Source-Version: 15.7a-1
We believe that the bug you reported is fixed in the latest version of
cscope, which is due to be installed in the Debian FTP archive:
cscope_15.7a-1.diff.gz
to pool/main/c/cscope/cscope_15.7a-1.diff.gz
cscope_15.7a-1.dsc
to pool/main/c/cscope/cscope_15.7a-1.dsc
cscope_15.7a-1_i386.deb
to pool/main/c/cscope/cscope_15.7a-1_i386.deb
cscope_15.7a.orig.tar.gz
to pool/main/c/cscope/cscope_15.7a.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Klauser <tklauser@distanz.ch> (supplier of updated cscope package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 24 May 2009 12:13:47 +0200
Source: cscope
Binary: cscope
Architecture: source i386
Version: 15.7a-1
Distribution: unstable
Urgency: high
Maintainer: Tobias Klauser <tklauser@distanz.ch>
Changed-By: Tobias Klauser <tklauser@distanz.ch>
Description:
cscope - Interactively examine a C program source
Closes: 515164 528510
Changes:
cscope (15.7a-1) unstable; urgency=high
.
* New upstream release.
- Security update for CVE-2009-0148 to fix multiple buffer overflows
(Closes: #528510).
- Drop 01-fix-resize-crash-inside-vim.dpatch, merged upstream.
* Correctly install xcscope.el via dh_installemacsen (Closes: #515164).
* Update to Standards-Version 3.8.1, no changes needed.
Checksums-Sha1:
c8639b506d3ee332858005d17cbf95ad9d3093ed 1149 cscope_15.7a-1.dsc
33d3dd36dcca95ce199d2ad07d7fa9fce2e9a6f9 429251 cscope_15.7a.orig.tar.gz
e008766343ea64ddb0edd621281b86fe7494c1ac 16951 cscope_15.7a-1.diff.gz
11ad2a03d3b35c444d0f8fa3a4cc83d1128fcd6a 153178 cscope_15.7a-1_i386.deb
Checksums-Sha256:
2804ca570f12af4637a6db2356e34b4ccc07f26dd1f5cfc8a8d171ba86fafd6f 1149 cscope_15.7a-1.dsc
1f04362e865b9ab2b470f0845531111881e76b55f68d7892b15ddbc38641fe26 429251 cscope_15.7a.orig.tar.gz
e25fd9c86fe8dc464b8409aa76a0bb5cfba534f1599409aa8bd71e2dcb156376 16951 cscope_15.7a-1.diff.gz
d5157e663cba6ca965c47dd868cdab591a365853b7311f52eec6060320652204 153178 cscope_15.7a-1_i386.deb
Files:
4896c50a763f012c3a4bb72c2812742e 1149 devel optional cscope_15.7a-1.dsc
90d1b66dafa355307195c7153cec6d5c 429251 devel optional cscope_15.7a.orig.tar.gz
018a295298250bec6cc09e717a90a7f9 16951 devel optional cscope_15.7a-1.diff.gz
652128d8315683ee56849da1248bb426 153178 devel optional cscope_15.7a-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkouT6kACgkQ+C5cwEsrK54pPgCfW8EtWsiZ6nxhS4lHWw0c4Y5+
JJsAn0x3wzSWxAG9GS0NFSxQFLdV52On
=8vJx
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Jul 2009 07:27:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:06:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon