Debian Bug report logs - #295261
CAN-2004-1004+CAN-2004-1005: multiple vulnerabilities in mc

version graph

Package: mc; Maintainer for mc is Debian MC Packaging Group <pkg-mc-devel@lists.alioth.debian.org>; Source for mc is src:mc.

Reported by: Martin Schulze <joey@infodrom.org>

Date: Mon, 14 Feb 2005 19:33:06 UTC

Severity: grave

Tags: patch, sarge, security, sid

Found in version 4.6.0-4.6.1-pre1-3

Fixed in version mc/1:4.6.0-4.6.1-pre3-1

Done: Ludovic Drolez <ldrolez@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, joeyh@debian.org, Adam Byrtek <alpha@debian.org>:
Bug#295261; Package mc. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
New Bug report received and forwarded. Copy sent to joeyh@debian.org, Adam Byrtek <alpha@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: submit@bugs.debian.org
Subject: CAN-2004-1004+CAN-2004-1005: multiple vulnerabilities in mc
Date: Mon, 14 Feb 2005 20:12:38 +0100
[Message part 1 (text/plain, inline)]
Package: mc
Version: 4.6.0-4.6.1-pre1-3
Severity: grave
Tags: sarge sid security patch

I'm awfully sorry but when releasing DSA 639 I was under the impression
that the version of mc was sufficiently new and contained all security
fixes already.  However, Gerardo Di Giacomo denied that, so attached
please find the patch he provided for a Debian fork which also applies
to the version in sarge = sid.  I'm also attaching the patches I've
used for the update in woody.

CAN-2004-1004

    Multiple format string vulnerabilities

CAN-2004-1005

    Multiple buffer overflows

Linkname: [SECURITY] [DSA 639-1] New mc packages fix several vulnerabilities
     URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00017.html

Please correct the package.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.
[diff.for.joey (text/plain, attachment)]
[patch.CAN-2004-1004.mc (text/plain, attachment)]
[patch.CAN-2004-1005.mc (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Adam Byrtek <alpha@debian.org>:
Bug#295261; Package mc. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Byrtek <alpha@debian.org>. Full text and rfc822 format available.

Message #10 received at 295261@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Martin Schulze <joey@infodrom.org>, 295261@bugs.debian.org, SteX <stefano.melchior@fastwebnet.it>
Subject: Re: Bug#295261: CAN-2004-1004+CAN-2004-1005: multiple vulnerabilities in mc
Date: Mon, 14 Feb 2005 23:22:01 +0100

Martin Schulze wrote:
> Package: mc
> Version: 4.6.0-4.6.1-pre1-3
> Severity: grave
> Tags: sarge sid security patch
> 
> I'm awfully sorry but when releasing DSA 639 I was under the impression
> that the version of mc was sufficiently new and contained all security
> fixes already.  However, Gerardo Di Giacomo denied that, so attached
> please find the patch he provided for a Debian fork which also applies
> to the version in sarge = sid.  I'm also attaching the patches I've
> used for the update in woody.
> 
> CAN-2004-1004
> 
>     Multiple format string vulnerabilities
> 
> CAN-2004-1005
> 
>     Multiple buffer overflows
> 
> Linkname: [SECURITY] [DSA 639-1] New mc packages fix several vulnerabilities
>      URL: http://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00017.html
> 
> Please correct the package.

Thanks for the bug report.

I've just verified that theses bugs are already fixed in the upcoming pre3
release of mc. They will be fixed as soon as the ITA is completed (Stefano
and I will maintain mc).

Stefano, I think it's time to complete the ITA !

Cheers,

-- 
Ludovic Drolez.

http://www.palmopensource.com       - The PalmOS Open Source Portal
http://www.drolez.com      - Personal site - Linux and PalmOS stuff



Tags added: pending Request was from Ludovic <ldrolez@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Adam Byrtek <alpha@debian.org>:
Bug#295261; Package mc. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Byrtek <alpha@debian.org>. Full text and rfc822 format available.

Message #17 received at 295261@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 295261@bugs.debian.org, SteX <stefano.melchior@fastwebnet.it>, Ludovic Drolez <ldrolez@debian.org>
Subject: Re: Bug#295261: CAN-2004-1004+CAN-2004-1005: multiple vulnerabilities in mc
Date: Thu, 24 Feb 2005 16:20:54 -0500
[Message part 1 (text/plain, inline)]
I encourage you guys to hurry up and get a fixed mc out. Normally I'd
have NMUed it already with the patch, except you indicated you were
working on it, but I'm almost out of patience waiting now.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Schulze <joey@infodrom.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 295261-close@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: 295261-close@bugs.debian.org
Subject: Bug#295261: fixed in mc 1:4.6.0-4.6.1-pre3-1
Date: Thu, 24 Feb 2005 17:47:10 -0500
Source: mc
Source-Version: 1:4.6.0-4.6.1-pre3-1

We believe that the bug you reported is fixed in the latest version of
mc, which is due to be installed in the Debian FTP archive:

mc_4.6.0-4.6.1-pre3-1.diff.gz
  to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1.diff.gz
mc_4.6.0-4.6.1-pre3-1.dsc
  to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1.dsc
mc_4.6.0-4.6.1-pre3-1_i386.deb
  to pool/main/m/mc/mc_4.6.0-4.6.1-pre3-1_i386.deb
mc_4.6.0-4.6.1-pre3.orig.tar.gz
  to pool/main/m/mc/mc_4.6.0-4.6.1-pre3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 295261@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated mc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Feb 2005 22:45:32 +0100
Source: mc
Binary: mc
Architecture: source i386
Version: 1:4.6.0-4.6.1-pre3-1
Distribution: unstable
Urgency: high
Maintainer: Stefano Melchior <stefano.melchior@openlabs.it>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description: 
 mc         - midnight commander - a powerful file manager
Closes: 92121 231071 241891 267596 282301 286395 295259 295261
Changes: 
 mc (1:4.6.0-4.6.1-pre3-1) unstable; urgency=high
 .
   * New maintainers: Stefano Melchior and Ludovic Drolez (closes: #282301).
   * Urgency set to high because of security bug fixes.
   * Missing quoting in ext2 and i18n fix.
   * Samba lib warning (netmask.c) fixed.
   * Security upload to handle DSA 639 (references: CAN-2004-1004,
     CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092,
     CAN-2004-1093, CAN-2004-1174, CAN-2004-1175, CAN-2004-1176),
     Fixed upstream in the pre3 release (Closes: #295261).
   * Pre3 release includes fix for CAN-2004-0226 (closes: #286395).
   * Fixed ftp filesystem impossibility to list dirs when password contains #
     (closes: #92121).
   * Fixed subshell impossibility to be started (closes: #241891).
   * Fixed CAN-2004-0494 (closes: #267596).
   * Fixed buffer overflow and format string vulnerabilities (closes: #295259).
   * Italian hotkey translation changed (closes: #231071).
   * New upstream pre-release.
Files: 
 c8e34240a29a723bc78bdd85463a26f3 691 utils optional mc_4.6.0-4.6.1-pre3-1.dsc
 2bea7e3250efa665d972229e755ac1e6 3900927 utils optional mc_4.6.0-4.6.1-pre3.orig.tar.gz
 8c8a3a55fdb76c3105a564e037f06022 25254 utils optional mc_4.6.0-4.6.1-pre3-1.diff.gz
 3a6752d5079f576910f291bd752960c8 2003694 utils optional mc_4.6.0-4.6.1-pre3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCHlNlsRlQAP1GppgRAim8AJwJRGe3QLax1XUU1NmZ35R1TsN4PQCfY8k2
LZo2XB/RBba9ZXrH7kMF12M=
=WFw5
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:40:44 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.