Debian Bug report logs - #233888
libpt-1.5.2: [PATCH] for CAN-2004-0097

version graph

Package: libpt-1.5.2; Maintainer for libpt-1.5.2 is (unknown);

Reported by: James D Strandboge <jstrand1@rochester.rr.com>

Date: Fri, 20 Feb 2004 16:18:03 UTC

Severity: grave

Tags: patch, security

Found in version 1.5.2-0jds1

Fixed in version pwlib/1.5.2-4

Done: Tim Johann <t1m@phrogstar.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to James D Strandboge <jstrand1@rochester.rr.com>:
New Bug report received and forwarded. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: James D Strandboge <jstrand1@rochester.rr.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpt-1.5.2: [PATCH] for CAN-2004-0097
Date: Fri, 20 Feb 2004 11:05:25 -0500
Package: libpt-1.5.2
Version: 1.5.2-0jds1
Severity: grave
Tags: patch security
Justification: user security hole

CAN-2004-0097 discusses a problem with pwlib prior to version 1.6.0.
See
http://www.redhat.com/archives/redhat-watch-list/2004-February/msg00004.html
for more info.  I adapted the attached patch from
pwlib-1.4.7-ranges.patch from the 3spatchfixed redhat version.  The 
only difference is that this patch is to src/ptclib/asnper.cxx rather
than src/ptclib/asner.cxx.

A dpatch is attached and applies cleanly to pwlib included in my
gnome2.2 backport (which the sid pwlib recompiled on woody).

Jamie Strandboge

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux sirius.strandboge.cxm 2.4.23-tppdell41003 #1 Thu Feb 19 10:26:56 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages libpt-1.5.2 depends on:
ii  libc6                  2.2.5-11.5        GNU C Library: Shared libraries an
ii  libldap2               2.0.23-6.3        OpenLDAP libraries.
ii  libsdl1.2debian        1.2.4-1           Simple DirectMedia Layer
ii  libssl0.9.6            0.9.6c-2.woody.4  SSL shared libraries
ii  libstdc++2.10-glibc2.2 1:2.95.4-11woody1 The GNU stdc++ library




Information forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to James Strandboge <jstrand1@rochester.rr.com>:
Extra info received and forwarded to list. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #10 received at 233888@bugs.debian.org (full text, mbox):

From: James Strandboge <jstrand1@rochester.rr.com>
To: 233888@bugs.debian.org
Subject: (libpt-1.5.2: [PATCH] for CAN-2004-0097
Date: Fri, 20 Feb 2004 11:41:47 -0500
[Message part 1 (text/plain, inline)]
Here is the patch
[05_src_ptclib_asnper.cxx-CAN-2004-0097.dpatch (text/x-sh, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to Tim Johann <t1m@phrogstar.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 233888@bugs.debian.org (full text, mbox):

From: Tim Johann <t1m@phrogstar.de>
To: James D Strandboge <jstrand1@rochester.rr.com>, 233888@bugs.debian.org
Subject: Re: Bug#233888: libpt-1.5.2: [PATCH] for CAN-2004-0097
Date: Sat, 21 Feb 2004 20:36:34 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Very many thanks for the patch, though...

I was already preparing packages for v1.6.1 prerelease to get this
problem solved.  I only wait for my sponsor to review and probably
upload them.

But I will close this bug not until the new version is uploaded.

thanks again,

~    cheers,

~       t1m

- --

Tim Johann <t1m@phrogstar.de>
PGP/GnuPG public key available at wwwkeys.pgp.net
PGP-fingerprint:  B983 04E1 D046 BAC1 FF60  D0DC 4002 CAD4 DEBB A8D2



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAN7NCQALK1N67qNIRAu9kAKCwFhESI0QSZpg+3jqjKLxyBCCfTwCdFyCH
Wa/ZeD+67VRUnBK9goT4G2s=
=Q3Rp
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to Drew Scott Daniels <umdanie8@cc.UManitoba.CA>:
Extra info received and forwarded to list. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #20 received at 233888@bugs.debian.org (full text, mbox):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
To: 233888@bugs.debian.org
Subject: pwlib vulnerabilities
Date: Mon, 23 Feb 2004 10:37:54 -0600 (CST)
Hi,
Don't forget to leave the bug open for sarge until the fixed version makes
it into testing.

Below is just a rant I suppose...
The whole handling of these H.323 vulnerabilities bothers me... Although
the lack of transparency in Debian's handling of vulnerabilities has long
bothered me, it's more upstream, other vendors and even CERT that really
didn't deal well with this... I presume that you got my messages to the
PTS regarding this issue?

CERT announced H.323 vulnerabilities without considering OpenH323 (maybe
due to someone else's announcement). They stated that they believed that
Red Hat wasn't vulnerable.

After the CERT advisory, I contacted upstream and the PTS..

OpenH323 upstream said shortly after that they were vulnerable, but only
on their mailing list (available to the public on the web). The fixes were
available for a while, but the fixes were listed amongst regular
updates... I suppose this is true for most upstream security fixes. :-(
The OpenH323 website still doesn't address this issue after more than a
month from the CERT advisory, and several days after the release of their
new version... The website update may be excusable in that they may have
been waiting for the CVE release.

After upstream said they were vulnerable, I contacted a member of the
security team so that he could at least keep track of the issue as it
relates to sarge. I couldn't contact the security team list as I couldn't
yet show that stable was vulnerable and they've scorned me in the past for
sending notes their way of merely possible vulnerabilities (ugg).

Red Hat released their advisory(ies) before the CVE co-ordination was
finished. I get the impression that this isn't the first time that Red
Hat has jumped the gun. CERT also still lists Red Hat as not vulnerable.

Thanks for keeping this bug open, and thanks for addressing the
vulnerabilities. Also thanks for maintaining this excellent package.

     Drew Daniels



Information forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to Mark J Cox <mjc@redhat.com>:
Extra info received and forwarded to list. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #25 received at 233888@bugs.debian.org (full text, mbox):

From: Mark J Cox <mjc@redhat.com>
To: 233888@bugs.debian.org
Subject: Re: pwlib vulnerabilities
Date: Tue, 24 Feb 2004 08:44:02 +0000 (GMT)
> Red Hat released their advisory(ies) before the CVE co-ordination was
> finished.

So actually our security team noticed that OpenH323 was affected because
of a message linked from the openh323.org web site.  We talked to Craig
Southeren and he confirmed that the fix was public (we also wanted to see
if the test suite had been run against prior versions).  We released
updated packages shortly after that since the issue was already public.

Thanks, Mark
-- 
Mark J Cox / Red Hat Security Response Team





Reply sent to Tim Johann <t1m@phrogstar.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to James D Strandboge <jstrand1@rochester.rr.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 233888-close@bugs.debian.org (full text, mbox):

From: Tim Johann <t1m@phrogstar.de>
To: 233888-close@bugs.debian.org
Subject: Bug#233888: fixed in pwlib 1.5.2-4
Date: Tue, 16 Mar 2004 16:32:18 -0500
Source: pwlib
Source-Version: 1.5.2-4

We believe that the bug you reported is fixed in the latest version of
pwlib, which is due to be installed in the Debian FTP archive:

asnparser_1.5.2-4_i386.deb
  to pool/main/p/pwlib/asnparser_1.5.2-4_i386.deb
libpt-1.5.2_1.5.2-4_i386.deb
  to pool/main/p/pwlib/libpt-1.5.2_1.5.2-4_i386.deb
libpt-dbg_1.5.2-4_i386.deb
  to pool/main/p/pwlib/libpt-dbg_1.5.2-4_i386.deb
libpt-dev_1.5.2-4_i386.deb
  to pool/main/p/pwlib/libpt-dev_1.5.2-4_i386.deb
libpt-doc_1.5.2-4_all.deb
  to pool/main/p/pwlib/libpt-doc_1.5.2-4_all.deb
pwlib_1.5.2-4.diff.gz
  to pool/main/p/pwlib/pwlib_1.5.2-4.diff.gz
pwlib_1.5.2-4.dsc
  to pool/main/p/pwlib/pwlib_1.5.2-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 233888@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tim Johann <t1m@phrogstar.de> (supplier of updated pwlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 22 Feb 2004 01:20:11 +0100
Source: pwlib
Binary: libpt-doc libpt-dbg asnparser libpt-1.5.2 libpt-dev
Architecture: source i386 all
Version: 1.5.2-4
Distribution: unstable
Urgency: high
Maintainer: Tim Johann <t1m@phrogstar.de>
Changed-By: Tim Johann <t1m@phrogstar.de>
Description: 
 asnparser  - ASN.1 to C/C++ converter
 libpt-1.5.2 - Portable Windows Library
 libpt-dbg  - Portable Windows Library development debug files
 libpt-dev  - Portable Windows Library development files
 libpt-doc  - Portable Windows Library documentation & sample files
Closes: 220885 233888
Changes: 
 pwlib (1.5.2-4) unstable; urgency=high
 .
   * Added dpatch to fix CVE issue CAN-2004-0097.
     Thanks to James Strandboge <jstrand1@rochester.rr.com> for providing
     the patch.  Closes: #233888.
   * Removed '-pipe', hopefully to get rid of bug #218841.
   * Added patch erasing the '-Os' flag.  Closes: #220885.
 .
 pwlib (1.5.2-3) unstable; urgency=low
 .
   * added -DP_64BIT flag to STDCCFLAGS on alpha, not accounted for upstream
Files: 
 12f5469a8abcb30036426280c8e4bb76 767 libs optional pwlib_1.5.2-4.dsc
 7a34f695fc57a78b3eeec27b4716483a 132668 libs optional pwlib_1.5.2-4.diff.gz
 8cb77e0182276243d7f29ad0d3f23507 1568510 libs optional libpt-1.5.2_1.5.2-4_i386.deb
 ea85e648c685c12457dfe992487f4aaa 276740 devel optional asnparser_1.5.2-4_i386.deb
 5b9663704073c2317dca274e412a0c4d 2379624 libdevel optional libpt-dev_1.5.2-4_i386.deb
 a091e58b9691b43d4b84fb90637099d3 13820264 libdevel extra libpt-dbg_1.5.2-4_i386.deb
 d6c51b72f5177a852e0d2b5272c88d0a 457016 doc extra libpt-doc_1.5.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAV2qM7tjUzB3rjq4RArnHAJ9N4TJw6pqRm4tBrDVM/j7I7Z6Y4wCgg+ZJ
S3gt/PCa9Go+WYTJcLcb5FQ=
=gs3G
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to Drew Scott Daniels <umdanie8@cc.UManitoba.CA>:
Extra info received and forwarded to list. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #35 received at 233888@bugs.debian.org (full text, mbox):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
To: 233888@bugs.debian.org
Subject: This bug is still in sarge
Date: Tue, 30 Mar 2004 16:12:09 -0600 (CST)
This security bug is still in the version of pwlib in sarge.

     Drew Daniels




Information forwarded to debian-bugs-dist@lists.debian.org, Tim Johann <t1m@phrogstar.de>:
Bug#233888; Package libpt-1.5.2. Full text and rfc822 format available.

Acknowledgement sent to Kilian Krause <kk@verfaction.de>:
Extra info received and forwarded to list. Copy sent to Tim Johann <t1m@phrogstar.de>. Full text and rfc822 format available.

Message #40 received at 233888@bugs.debian.org (full text, mbox):

From: Kilian Krause <kk@verfaction.de>
To: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>, 233888@bugs.debian.org
Subject: Re: Bug#233888: This bug is still in sarge
Date: Wed, 31 Mar 2004 01:19:33 +0200
[Message part 1 (text/plain, inline)]
Hi Drew, 

Am Mi, den 31.03.2004 schrieb Drew Scott Daniels um 0:12:
> This security bug is still in the version of pwlib in sarge.

yes, and we try our best to get the current SID version proceed into
SARGE.. unfortunatelly we need the whole dependancy tree ready for the
new pwlib to be moving into sarge.. 

As the sarge version of pwlib is kinda outdated, does that patch apply
cleanly or can we just wait for the new version to propagate into sarge?

-- 
Best regards,
 Kilian
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:15:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.