unrtf: CVE-2014-9274 CVE-2014-9275

Debian Bug report logs - #772811
unrtf: CVE-2014-9274 CVE-2014-9275

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Thu, 11 Dec 2014 12:16:55 +0100

Package: unrtf
Severity: grave
Tags: security

Please see http://www.openwall.com/lists/oss-security/2014/12/03/4
for more information and references to patches.

Cheers,
        Moritz

Message #14 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: daved@physiol.usyd.edu.au, 772811@bugs.debian.org, 772811-forwarded@bugs.debian.org

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Sun, 14 Dec 2014 10:10:58 +0100

Hi Dave,

does 0.21.7 solve both security issues reported? If yes, could point
send me the individual patches that fix these issues? The Debian branch
for the next stable distribution is already frozen, so I cannot fix
these bugs with new upstream versions.

thanks
Willi

Am 2014-12-11 um 12:16 schrieb Moritz Muehlenhoff:
> Package: unrtf
> Severity: grave
> Tags: security
> 
> Please see http://www.openwall.com/lists/oss-security/2014/12/03/4
> for more information and references to patches.
> 
> Cheers,
>         Moritz
> 

Message #22 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Willi Mann <willi@debian.org>, 772811@bugs.debian.org

Cc: daved@physiol.usyd.edu.au

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Sun, 21 Dec 2014 15:08:00 +0100

Hi Willi,

On Sun, Dec 14, 2014 at 10:10:58AM +0100, Willi Mann wrote:
> Hi Dave,
> 
> does 0.21.7 solve both security issues reported? If yes, could point
> send me the individual patches that fix these issues? The Debian branch
> for the next stable distribution is already frozen, so I cannot fix
> these bugs with new upstream versions.

The three required commits are referenced now in Red Hat's Bugzilla
entry at [1].

 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1170233

> Jean-Francois Dockes proposed fixes for both CVEs.
> 
> CVE-2014-9274 is addressed by
> https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00000.html
> 
> CVE-2014-9275 is addressed by
> https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
> 
> All three changes were incorporated upstream and shipped as a part of unrtf
> 0.21.6. (http://hg.savannah.gnu.org/hgweb/unrtf/rev/891c2f431c90)

Regards,
Salvatore

Message #27 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 772811@bugs.debian.org

Cc: Willi Mann <willi@debian.org>, daved@physiol.usyd.edu.au

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Sun, 21 Dec 2014 15:32:06 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi Willi

Attached are two patches separated per CVEs.

Regards,
Salvatore

[CVE-2014-9274.patch (text/x-diff, attachment)]

[CVE-2014-9275.patch (text/x-diff, attachment)]

Message #34 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Dave Davey <daved@windclimber.id.au>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Willi Mann <willi@debian.org>, 772811@bugs.debian.org, daved@physiol.usyd.edu.au

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Mon, 22 Dec 2014 01:41:50 +1100

On Sun, Dec 21, 2014 at 03:08:00PM +0100, Salvatore Bonaccorso wrote:
> Hi Willi,
> 
> On Sun, Dec 14, 2014 at 10:10:58AM +0100, Willi Mann wrote:
> > Hi Dave,
> > 
> > does 0.21.7 solve both security issues reported? If yes, could point
> > send me the individual patches that fix these issues? The Debian branch
> > for the next stable distribution is already frozen, so I cannot fix
> > these bugs with new upstream versions.
> 
> The three required commits are referenced now in Red Hat's Bugzilla
> entry at [1].
> 
>  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1170233
> 
> > Jean-Francois Dockes proposed fixes for both CVEs.
> > 
> > CVE-2014-9274 is addressed by
> > https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00000.html
> > 
> > CVE-2014-9275 is addressed by
> > https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
> > 
> > All three changes were incorporated upstream and shipped as a part of unrtf
> > 0.21.6. (http://hg.savannah.gnu.org/hgweb/unrtf/rev/891c2f431c90)
> 
> Regards,
> Salvatore

0.21.8 has just been released with range of fixes.  We think all known
security issues have been addressed.  There is now a mecurial repository
with a log file detailing changes.

cheers

Dave

-- 
David F. Davey
D'Entrecasteaux                                       Phone: +61 3 6267 4852
378 Manuka Road                                      Mobile: +61 428 674 852
Kettering                                               Fax: +61 3 6267 4791
Tasmania 7155
Australia                                            daved@windclimber.id.au

Message #41 received at 772811-close@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: 772811-close@bugs.debian.org

Subject: Bug#772811: fixed in unrtf 0.21.8-clean-1

Date: Sun, 21 Dec 2014 19:36:52 +0000

Source: unrtf
Source-Version: 0.21.8-clean-1

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772811@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <willi@debian.org> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 21 Dec 2014 20:14:30 +0100
Source: unrtf
Binary: unrtf
Architecture: source
Version: 0.21.8-clean-1
Distribution: experimental
Urgency: medium
Maintainer: Willi Mann <willi@debian.org>
Changed-By: Willi Mann <willi@debian.org>
Description:
 unrtf      - RTF to other formats converter
Closes: 772811
Changes:
 unrtf (0.21.8-clean-1) experimental; urgency=medium
 .
   * Imported Upstream version 0.21.8-clean
     - cleaned with script debian/clean-tar.sh, mainly to remove absolute path
       symlinks in config directory (spotted by lintian)
     - fixes CVE-2014-9274 and CVE-2014-9275 (closes: #772811)
   * Update Standards-Version 3.9.5 -> 3.9.6 (no changes)
Checksums-Sha1:
 4aff349c4d5431068ea1c4e2b1d56227fde17f6a 1868 unrtf_0.21.8-clean-1.dsc
 252af4e5fb162ba625856c1ee873e22dca391861 614383 unrtf_0.21.8-clean.orig.tar.gz
 2b47a6412d618af5b0b962108eaace035e9e14a1 3960 unrtf_0.21.8-clean-1.debian.tar.xz
Checksums-Sha256:
 51967a2d5677c00da18b0b62071ba686ffe86d48a58a1ca4221569764a4c8c7b 1868 unrtf_0.21.8-clean-1.dsc
 17e34cca96c7bcd084955b5d31c9dffab18a3be8107989e7ae2211770a6d5e87 614383 unrtf_0.21.8-clean.orig.tar.gz
 93334afb5f3e96d5dcf90c7c1fcba961d8a3d47b0d24753fc1ff579a6aed077f 3960 unrtf_0.21.8-clean-1.debian.tar.xz
Files:
 4941942b7854e2eba37cdfec0afbc3bc 1868 text optional unrtf_0.21.8-clean-1.dsc
 d109dfd322d3e57b53f28e30edd690af 614383 text optional unrtf_0.21.8-clean.orig.tar.gz
 68d31bcfd05984d3c0582f13b7c26c3e 3960 text optional unrtf_0.21.8-clean-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUlx3cAAoJEIy+IZx0V22BgXsP/3KAtf0sT3HmP2h4w6amb/eP
d3ARm2K6UEnX7+zKA/OZtdf+RZTibP3mdEnuIrSdNlpnBHE3lTbNZgR4HXspdL3O
ch96FBmLHn9A724NqO6Jpr3y/gsh/BWRRAerbPIsQ5kqbpzFzNKTG259xwu6kMum
nw+yeDJz4XLlaw0xLCGB96NB6BwsM6UAt11QsfxG/nqnbQvV/XM6cuN3ArKZMz7Z
WgGZ6glkx+6lnHEx5mPnsb/jB7wJkhMK9EICXF5+pz185Yzi9WZeoqtAkLnQceZm
r8FphdwK8c8TOnOc1+e819+lOvs5++hIsamKcDkEkR4kttb8dahlgLfy9Y/8Y6Ap
KYU5PS7SwhRKeYA93Y5Ok1STpUIzJ2xIops8P7HHfMf08HhnAgrR6zsfz9DfOXSZ
juWvAbodYBTHUjb7c6F6uggdAMh5XdQcd9tplKge20rHfHV6uA2yr/qArYMMlF59
H4UF1H0/zIM35VKNng9Ps2qtwX98Av6vw+7HO9KMRvKtx56xgY+MxQLAMbyPNsQh
HkpI2cC4tDthbT59AqfSKQoNSSZPvoDGN6RW8faeb8Sig1UWtMnDIAXGYn4Uhq6C
oQFkfpbO8nv8H0IhUXE+18XTGsCkVfK/pN/WF/+2PEISFX7soe5FgGS2YJKVrjIl
Y+fs+J4r5yIzlnkE7bd1
=OH6/
-----END PGP SIGNATURE-----

Message #46 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 772811@bugs.debian.org

Cc: daved@physiol.usyd.edu.au

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Sun, 21 Dec 2014 22:02:08 +0100

Hi Salvatore,

we were working in parallel unfortunately, as I prepared the same
patches in the morning. However, I also added 2 patches by
Fabian Keil. I'll upload tomorrow in the evening, you can have a look  at

http://anonscm.debian.org/cgit/collab-maint/unrtf.git/

comments welcome.

thanks
Willi

Am 2014-12-21 um 15:32 schrieb Salvatore Bonaccorso:
> Control: tags -1 + patch
> 
> Hi Willi
> 
> Attached are two patches separated per CVEs.
> 
> Regards,
> Salvatore
> 

Message #51 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Willi Mann <willi@debian.org>

Cc: 772811@bugs.debian.org, daved@physiol.usyd.edu.au

Subject: Re: Bug#772811: unrtf: CVE-2014-9274 CVE-2014-9275

Date: Sun, 21 Dec 2014 22:22:21 +0100

Hi Willi,

On Sun, Dec 21, 2014 at 10:02:08PM +0100, Willi Mann wrote:
> Hi Salvatore,
> 
> we were working in parallel unfortunately, as I prepared the same
> patches in the morning. However, I also added 2 patches by
> Fabian Keil. I'll upload tomorrow in the evening, you can have a look  at

Don't worry too much about my doubled work. I in particular was
interested into digging into the wo issues for updating the
security-tracker information. I can confirm that the isolated commits
at least fixe CVE-2014-9274 and CVE-2014-9275 (confirmed with the two
sets of reproducers).

Thank you for working on that!

Regards,
Salvatore

Message #60 received at 772811-close@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: 772811-close@bugs.debian.org

Subject: Bug#772811: fixed in unrtf 0.21.5-2

Date: Mon, 22 Dec 2014 21:35:06 +0000

Source: unrtf
Source-Version: 0.21.5-2

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772811@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <willi@debian.org> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Dec 2014 20:20:33 +0100
Source: unrtf
Binary: unrtf
Architecture: source
Version: 0.21.5-2
Distribution: unstable
Urgency: medium
Maintainer: Willi Mann <willi@debian.org>
Changed-By: Willi Mann <willi@debian.org>
Description:
 unrtf      - RTF to other formats converter
Closes: 772811
Changes:
 unrtf (0.21.5-2) unstable; urgency=medium
 .
   * Security fixes, closes: #772811
     - Fix CVE-2014-9274: check that accesses to color table stay within bounds
     - Fix CVE-2014-9275: various crashes
   * possible security fixes:
     - Fix Invalid read of size 4 in attr_get_param
     - attr_get_param(): Silence a warning message again
Checksums-Sha1:
 a3b1b1c30b53c6964b3dd6b634b7ac79d8e5e0bf 1826 unrtf_0.21.5-2.dsc
 c842d255fe4f58fd59087539c56dc3341c38e91a 6520 unrtf_0.21.5-2.debian.tar.xz
Checksums-Sha256:
 85e884cc33ae1263da85ae2187171be22a115d47e812f80717e761289d694b78 1826 unrtf_0.21.5-2.dsc
 aa5ed95dc62d1644a70bb865dbb4b49f27bee0e1f6f5ef1f45b4482c6257e968 6520 unrtf_0.21.5-2.debian.tar.xz
Files:
 9143fb7be2e7cd092da5d9795cdf9528 1826 text optional unrtf_0.21.5-2.dsc
 72e895914d6f25ad7835d2c85733e9a1 6520 text optional unrtf_0.21.5-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUmHd7AAoJEIy+IZx0V22BW90QAIxnbPaO4+ZeyLEfTWADOfWl
HXMF05gAvoHEtE9XCAwljmd0yszt+JvlC5NJ9bKuBlTx4p4H5QpvnXvd4ToN0QY+
ltERpuy9z0uHN/lQdv5cMGu2NPRrKxxgYYZHH9JfDggK1PcHRZMJnX12/Mj3GxMf
4rJ936CiYpvGbl4YEGfzAZSvSJ5eLZgiKkP6Z1wItexoIQfw/l3RJcochBLh/YVo
PpWvxtwO6kV0vl5WAcOKHx35WSfO7RUQuXHz12+5Agwg3i5EZa7qZ3zvrjcz3fTi
20FPdjLNkOUlJw2D5pU8sMrjAIsHVh+2p8MTo0++AqHZLnUUbPsaqd1QGNWL1iWm
EtMFCF7Asi1V6WfelezdTwWs5HBFxzAzbz5C8eomHI9I7yv0mn51LEJalVWBTG4Q
Ao0+5S6afQ3jKwRCn78jRGo7c5qG9A9cjsZZyMCIRoc3Izsy7nt7LUsfoWfkB3nv
zGzc9OmL/Dc8Eclw/PGF2U7qT7XGNHJJLJafVFsI0JJK+NzWYuOJYFMEfxQCTEAf
fosMqAq86UID6AgT03qihpJb1tsy4fP1WhdwvGKRvfCnXAuzMjby3XOoG+CaV0zj
7SP05WpySaxOfwTz0EnHLAn9widgjAIEGyJm1UvXiF2xfjSpwWKk/+0JV/djaYTO
u/rQfVGcjgHE4/ZGCich
=/app
-----END PGP SIGNATURE-----

Message #65 received at 772811@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: team@security.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 772811@bugs.debian.org

Subject: unrtf: fixes for stable (CVE-2014-9274 CVE-2014-9275)

Date: Tue, 23 Dec 2014 10:46:50 +0100

[Message part 1 (text/plain, inline)]

Hi,

Just in order to avoid duplicate effort: I have prepared (but not yet
tested) an upload for wheezy-security of unrtf, fixing CVE-2014-9274
CVE-2014-9275. It is available in the alioth git repository:

http://anonscm.debian.org/cgit/collab-maint/unrtf.git/

Bye
Willi

[signature.asc (application/pgp-signature, attachment)]

Message #70 received at 772811-close@bugs.debian.org (full text, mbox, reply):

From: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>

To: 772811-close@bugs.debian.org

Subject: Bug#772811: fixed in unrtf 0.19.3-1.1+deb6u1

Date: Wed, 14 Jan 2015 18:48:38 +0000

Source: unrtf
Source-Version: 0.19.3-1.1+deb6u1

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772811@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Dec 2014 14:42:06 +0700
Source: unrtf
Binary: unrtf
Architecture: source i386
Version: 0.19.3-1.1+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Christian Surchi <csurchi@debian.org>
Changed-By: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Description: 
 unrtf      - RTF to other formats converter
Closes: 772811
Changes: 
 unrtf (0.19.3-1.1+deb6u1) squeeze-lts; urgency=high
 .
   * Non-maintainer upload.
   * Security fixes, closes: #772811
      - Fix CVE-2014-9274: check that accesses to color table stay within bounds
      - Fix CVE-2014-9275: various crashes
     Patches taken from upstream commits:
      - CVE-2014-9274: b0cef89a170a66bc48f8dd288ce562ea8ca91f7a
 .
      - CVE-2014-9275: 1df886f2e65f7c512a6217588ae8d94d4bcbc63d
                       3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3
Checksums-Sha1: 
 21598e438409abe866936b9b8a483f50159b28fd 1730 unrtf_0.19.3-1.1+deb6u1.dsc
 e27b7a26755f694d9fd2859f7077cb1872477008 126047 unrtf_0.19.3.orig.tar.gz
 c15e853cd927d108513c651de736221e2ebf5c2b 5200 unrtf_0.19.3-1.1+deb6u1.diff.gz
 9e4e73f0138f1e503ab0baca94a48f81250ffa19 49084 unrtf_0.19.3-1.1+deb6u1_i386.deb
Checksums-Sha256: 
 775ae3fbe02ccbe828118ecdf9e579058b593bc78565b2324a5f4ee2593030fc 1730 unrtf_0.19.3-1.1+deb6u1.dsc
 31cd94a7add4554a40ef9873231ef22ec800cab95ccbab471d759f9e2642e56a 126047 unrtf_0.19.3.orig.tar.gz
 dd479f9b3e8003adc9d59316341bfcfd14e4055785f7827c20e5007033a86aaf 5200 unrtf_0.19.3-1.1+deb6u1.diff.gz
 7a2ec179038a324fbe8e8a4d7173f29fc9a4e39195e469632747da7044d76800 49084 unrtf_0.19.3-1.1+deb6u1_i386.deb
Files: 
 9b92d13b0b753f3fbeaa077a37d0fa54 1730 text optional unrtf_0.19.3-1.1+deb6u1.dsc
 a6ae7d608ae1ec566970b5985fd28c4c 126047 text optional unrtf_0.19.3.orig.tar.gz
 063949d3350faa87a1cb3f5a97b96f7a 5200 text optional unrtf_0.19.3-1.1+deb6u1.diff.gz
 7f6aaf3e3afb8030c6415318fa3d9179 49084 text optional unrtf_0.19.3-1.1+deb6u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUtrjjXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHnDsP/RKPdmAbAzVq8K2AC/I1tL5Y
OXUJjgjRS2qdz0haDAoTnrUGf++qrlpo2flICmIqK81n0ZwVMOAMZnJ5LTYxzv2x
kYIfeBYDQ4iwekBTwSAwhRPA6KOOgksY4patEFGJPkVRHy0kpXmUqWAxVQhfJK86
St2CvuqyyVjcKShNBDx2At6drlDAbF4pSDQ7TC1n8ir8eWnDFeEp0/EiPcg0qTPr
S01c1S0z2/aKn8mJRqL22IFJ/rzbldD+ZGCYJqnQDB9ahHgiWVbjhFi6EJGMS/KN
qB7Za6H/A4t90CstIkpYsHC7HLTmBW3a8WsEpzoQLGyuqeZJNwNaS1v+oKOyvf62
KBbSjnkgEAKR5tN+os5nhxhXk/KZ0UUMo94sWVrmJT0xIk8q5WoGDv4CzQENU/s2
GnP/VC7+t/+gkjNz79TEPjwtUVPtqcAc0mDIWbf8FeQAYHkSNvsC+5UHHvhSydW0
ihcV5I0I9H3+qwIC+1RWLyOO6F1aCucMilSbyoXF8guOUJgIvK3LgpUSEWXGxXLO
62cQKDTBquBPhUC2p8u6oNn5zmeEW3apRaRzPVVC6TuoFyDOzecNMrG3d45Fwopc
nRWkZqLizDI9aLvxliDDUwaW3b0qmhwYLcde40CcBHwnp4WQKoY5GiU7dusBbbzF
0YfDpaGzd4swgipZBr/D
=lprh
-----END PGP SIGNATURE-----

Message #75 received at 772811-close@bugs.debian.org (full text, mbox, reply):

From: Willi Mann <willi@debian.org>

To: 772811-close@bugs.debian.org

Subject: Bug#772811: fixed in unrtf 0.21.5-3~deb7u1

Date: Tue, 10 Feb 2015 21:32:05 +0000

Source: unrtf
Source-Version: 0.21.5-3~deb7u1

We believe that the bug you reported is fixed in the latest version of
unrtf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772811@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Willi Mann <willi@debian.org> (supplier of updated unrtf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 30 Jan 2015 21:19:35 +0100
Source: unrtf
Binary: unrtf
Architecture: source amd64
Version: 0.21.5-3~deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Willi Mann <willi@debian.org>
Changed-By: Willi Mann <willi@debian.org>
Description: 
 unrtf      - RTF to other formats converter
Closes: 772811
Changes: 
 unrtf (0.21.5-3~deb7u1) wheezy-security; urgency=high
 .
   * Backport of package from jessie to fix CVE-2014-9274 and CVE-2014-9275.
     closes: #772811
Checksums-Sha1: 
 dda8494075d204ffaf7da94981a4696489f5cfde 1852 unrtf_0.21.5-3~deb7u1.dsc
 ad42430e67555a25efdbce7be64a31c2e4d6832d 645273 unrtf_0.21.5.orig.tar.gz
 72c7f8422f096dc912de911ac7e7ab258b3f574a 10525 unrtf_0.21.5-3~deb7u1.debian.tar.gz
 4089ee0b3a5c6a6059eb519bf21c278f3d87d699 53280 unrtf_0.21.5-3~deb7u1_amd64.deb
Checksums-Sha256: 
 00c3dfc5d6f65695fbee4a1b550be484b9cc2c02b6bcb85e71bc942a4855c092 1852 unrtf_0.21.5-3~deb7u1.dsc
 959b095458940e12e09d1b8f465c4230305c1884062a0f40589f3bce2aab5396 645273 unrtf_0.21.5.orig.tar.gz
 f3218b505a89955f858ac0e2c9d19c0a0d7aebd718a5745ef28ee9854a6cead7 10525 unrtf_0.21.5-3~deb7u1.debian.tar.gz
 c7aaf33e4f5ace2fd2e2f2bee6708db7e0a19e702cde100d07941ab146cf488c 53280 unrtf_0.21.5-3~deb7u1_amd64.deb
Files: 
 24dd452b2a6563519b593e04524cdf4c 1852 text optional unrtf_0.21.5-3~deb7u1.dsc
 8e965b72298935cdb9f8dc9c89620d89 645273 text optional unrtf_0.21.5.orig.tar.gz
 b151150656d28f4b5d438387dafdd9f2 10525 text optional unrtf_0.21.5-3~deb7u1.debian.tar.gz
 fdac2c95cb58da4b2484a153409a5a70 53280 text optional unrtf_0.21.5-3~deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU0Sq+AAoJEIy+IZx0V22BitgP/j2nYPSS+12ZeC9feIYcM7pN
XA9oLZnmAI14Dqe2h4VMEGwX7CBPQ9ZmRa5XpWIueX+zpjSMtMNN2UVbH/zGZQoO
+gJa6tv8bBU3OLGqYe59gGwZkOtPo+x1QichKA+EVa2aO6Z24uFqLe3sz/mVzn1z
P+c8zAaqdaePyiVeRmiImUuEfz3+JzZtnKI0pVjCTSY+z1t/nRYOk5oiYRXmdrfc
kyd/a0Y4acYC62LC/vmlo8XHNhLfcy1N70dVBE0u0AdzbIMXlisJ3BaT8Oiq7ctn
7zeF6TOri7OvArfZAk+0fIStM/1NiUuO5M8r9SWZKzvLFf3zw+FMKkgeajevHyhp
M7YnYRqJ8t0fsFq0YLNJ7DuwhQ0JoYjgODZnlQllQqoU0BfafdwNUZtZgWPYT7TE
ayoFs1fPy35uL/aBsBTxA67NWd6hdGevALDFnrO0fCF1voc2G3bUPWlvYcDZXSVE
nlfAO5g+veD7CQppKLJCMV88/IC7SzC4KyEhx5fQSDYV3B4wBr6KbaJcJA+WLrXe
UVVJzBVxfyg98iR1jxmjUDlyrDTr9eea3yA/u7EfPGG08B14SBcARyukp+HugQhW
t2Smzj0+GdRsTv3RTmFcwjvwd/G4IOPza6+O0JgfPoZfyj7wT4AieL19a+HIxzdc
MffZ8Kp9E1oWEgfIny4k
=UyNM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.