DSA-590-1 gnats -- format string vulnerability

Debian Security Advisory

DSA-590-1 gnats -- format string vulnerability

Date Reported:

09 Nov 2004

Affected Packages:

gnats

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 278577.
In the Bugtraq database (at SecurityFocus): BugTraq ID 10609.
In Mitre's CVE dictionary: CVE-2004-0623.

More information:

Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code.

For the stable distribution (woody) this problem has been fixed in version 3.999.beta1+cvs20020303-2.

For the unstable distribution (sid) this problem has been fixed in version 4.0-7.

We recommend that you upgrade your gnats package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2.dsc

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2.tar.gz

Alpha:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_alpha.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_arm.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_i386.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_ia64.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_ia64.deb

HPPA:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_hppa.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_m68k.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_mips.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_mipsel.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_powerpc.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_s390.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/g/gnats/gnats_3.999.beta1+cvs20020303-2_sparc.deb

http://security.debian.org/pool/updates/main/g/gnats/gnats-user_3.999.beta1+cvs20020303-2_sparc.deb

MD5 checksums of the listed files are available in the original advisory.