Debian Bug report logs - #298939
xlibs: new buffer overflow security hole (CAN-2005-0605)

version graph

Package: xlibs; Maintainer for xlibs is (unknown);

Reported by: Branden Robinson <branden@debian.org>

Date: Thu, 10 Mar 2005 19:18:05 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream, woody

Fixed in version xfree86/4.1.0-16woody6

Done: Branden Robinson <branden@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package libxpm4. Full text and rfc822 format available.

Acknowledgement sent to Branden Robinson <branden@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxpm4: new buffer overflow security hole (CAN-2005-0605)
Date: Thu, 10 Mar 2005 14:01:37 -0500
Package: libxpm4
Version: 4.3.0.dfsg.1-12
Severity: grave
Tags: security, upstream, fixed-upstream, patch

CAN-2005-0605 indicates that "scan.c for LibXPM may allow attackers to
execute arbitrary code via a negative bitmap_unit value that leads to a
buffer overflow."

Patch is here:

https://bugs.freedesktop.org/attachment.cgi?id=1909

Description is here:

https://bugs.freedesktop.org/show_bug.cgi?id=1920

Gentoo issued an advisory about this on 4 March.

Ubuntu issued an advisory about this on 7 March.

I learned about this from Linux Weekly News.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-powerpc-smp
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libxpm4 depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- no debconf information



Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package libxpm4. Full text and rfc822 format available.

Acknowledgement sent to 298939@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #12 received at 298939@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: team@security.debian.org
Cc: 298939@bugs.debian.org
Subject: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Date: Fri, 11 Mar 2005 03:35:32 -0500
[Message part 1 (text/plain, inline)]
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:

  The XPM library's scan.c file may allow attackers to execute arbitrary code
  by crafting a malicious XPM image file containing a negative bitmap_unit
  value that provokes a buffer overflow.

http://redwald.deadbeast.net/tmp/CAN-2005-0605/

I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.

This package makes two changes:

1) It applies the purported fix for CAN-2005-0605.  I know of no exploit
   for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
   CAN-2004-0914 (in -16woody5).  I confirmed that saving XPM files in a
   woody environment with -16woody5 with the GIMP didn't work, and that
   upgrading to -16woody6 restored the functionality.

Please also find at the above URL:
* my package build log, xfree86_4.1.0-16woody6_powerpc.build; I built in a
  clean, up-to-date woody chroot
* xfree86_4.1.0-16woody6_qa_install_purge.typescript, a transcript of
  installing and purging these packages in a woody chroot
* xfree86_4.1.0-16woody6_qa_upgrade_downgrade.typescript, a transcript of
  upgrading these packages from -16woody5 and downgrading them back to
  -16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests

Please let me know if you require anything else regarding this
vulnerability.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0605

-- 
G. Branden Robinson                |    Somewhere, there is a .sig so funny
Debian GNU/Linux                   |    that reading it will cause an
branden@debian.org                 |    aneurysm.  This is not that .sig.
http://people.debian.org/~branden/ |
[MD5SUMS.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package libxpm4. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 298939@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Branden Robinson <branden@debian.org>
Cc: team@security.debian.org, 298939@bugs.debian.org
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Date: Sat, 12 Mar 2005 16:44:07 +0100
Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolving
> CAN-2005-0605[1], which is described as:
> 
>   The XPM library's scan.c file may allow attackers to execute arbitrary code
>   by crafting a malicious XPM image file containing a negative bitmap_unit
>   value that provokes a buffer overflow.

Looks fine, pushed into the buildd network.  Thanks a lot!

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package libxpm4. Full text and rfc822 format available.

Acknowledgement sent to 298939@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #22 received at 298939@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: control@bugs.debian.org, 298939@bugs.debian.org
Cc: lesstif1-1@packages.debian.org, joeyh@debian.org
Subject: #298939 should not have been marked fixed by lesstif1-1 NMU
Date: Sat, 12 Mar 2005 15:37:52 -0500
[Message part 1 (text/plain, inline)]
clone 298939 -1
retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
reassign -1 lesstif1-1
# I don't actually know if it's fixed upstream yet in LessTif, but I'm
# guessing it's not.
tag -1 - fixed-upstream
# libxpm4 is not fixed until the security buildds' packages are uploaded.
tag 298939 - fixed
thanks

Hi Joey,

Did you mean to only reference #298939 in your NMU of lesstif1-1?  You said
"Closes:", which marked as fixed the bug I filed against libxpm4, which is
not part of lesstif1-1 and is not yet fixed.

I am assuming your closing of #298939 is in error (since it's not
accurate), and cloning a copy of it for CAN-2005-0605's affect of
lesstif1-1.

-- 
G. Branden Robinson                |
Debian GNU/Linux                   |           If ignorance is bliss,
branden@debian.org                 |           is omniscience hell?
http://people.debian.org/~branden/ |
[signature.asc (application/pgp-signature, inline)]

Bug 298939 cloned as bug 299236. Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package libxpm4. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 298939@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 298939@bugs.debian.org
Cc: control@bugs.debian.org, lesstif1-1@packages.debian.org
Subject: Re: #298939 should not have been marked fixed by lesstif1-1 NMU
Date: Sat, 12 Mar 2005 17:53:36 -0500
[Message part 1 (text/plain, inline)]
tag 298183 fixed
merge 298183 299236
thanks

Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
> 
> Hi Joey,
> 
> Did you mean to only reference #298939 in your NMU of lesstif1-1?  You said
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
> 
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.

Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Bug 298939 cloned as bug 299272. Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `libxpm4' to `xlibs'. Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending, woody Request was from Branden Robinson <branden@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package xlibs. Full text and rfc822 format available.

Acknowledgement sent to 298939@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #44 received at 298939@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@deadbeast.net>
To: team@security.debian.org
Cc: 298939@bugs.debian.org
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Date: Wed, 20 Apr 2005 23:28:34 -0500
[Message part 1 (text/plain, inline)]
On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolving
> CAN-2005-0605[1], which is described as:
> 
>   The XPM library's scan.c file may allow attackers to execute arbitrary code
>   by crafting a malicious XPM image file containing a negative bitmap_unit
>   value that provokes a buffer overflow.
> 
> http://redwald.deadbeast.net/tmp/CAN-2005-0605/

Can someone tell me what the status of this is?

-- 
G. Branden Robinson            |      A celibate clergy is an especially
Free Software Developer        |      good idea, because it tends to
branden@deadbeast.net          |      suppress any hereditary propensity
http://deadbeast.net/~branden/ |      toward fanaticism.    -- Carl Sagan
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package xlibs. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #49 received at 298939@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Branden Robinson <branden@deadbeast.net>
Cc: team@security.debian.org, 298939@bugs.debian.org
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Date: Thu, 21 Apr 2005 08:15:40 +0200
Branden Robinson wrote:
> On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> > The following URL contains source and binary packages for powerpc resolving
> > CAN-2005-0605[1], which is described as:
> > 
> >   The XPM library's scan.c file may allow attackers to execute arbitrary code
> >   by crafting a malicious XPM image file containing a negative bitmap_unit
> >   value that provokes a buffer overflow.
> > 
> > http://redwald.deadbeast.net/tmp/CAN-2005-0605/
> 
> Can someone tell me what the status of this is?

Sure.  We don't have an ARM buildd for *stable* anymore.
Hence, the 11th architecure is missing.

Regards,

	Joey

-- 
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package xlibs. Full text and rfc822 format available.

Acknowledgement sent to Branden Robinson <branden@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #54 received at 298939@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: Debian Security Team <security@debian.org>
Cc: 298939@bugs.debian.org, 299272@bugs.debian.org
Subject: Regarding xfree86 and CAN-2005-0609
Date: Fri, 6 May 2005 10:09:28 -0500
[Message part 1 (text/plain, inline)]
Hi Joey,

xfree86's fix for CAN-2005-0609 has not yet been uploaded to
testing/unstable.  I expect to make an upload soon, however; the packages
are currently in preparation, and you can view the current status of the
SVN trunk at:

  http://necrotic.deadbeast.net/svn/xfree86/trunk/

specifically:

  http://necrotic.deadbeast.net/svn/xfree86/trunk/debian/changelog

Please go ahead and do the advisory for woody's xfree86 once you're ready.
I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
reason to expect that release to not fix CAN-2005-0609.

-- 
G. Branden Robinson                |     Suffer before God and ye shall be
Debian GNU/Linux                   |     redeemed.  God loves us, so He
branden@debian.org                 |     makes us suffer Christianity.
http://people.debian.org/~branden/ |     -- Aaron Dunsmore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package xlibs. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #59 received at 298939@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Branden Robinson <branden@debian.org>
Cc: Debian Security Team <security@debian.org>, 298939@bugs.debian.org, 299272@bugs.debian.org
Subject: Re: Regarding xfree86 and CAN-2005-0609
Date: Fri, 6 May 2005 17:18:42 +0200
Branden Robinson wrote:
> Hi Joey,
> 
> xfree86's fix for CAN-2005-0609 has not yet been uploaded to
> testing/unstable.  I expect to make an upload soon, however; the packages
> are currently in preparation, and you can view the current status of the
> SVN trunk at:
> 
>   http://necrotic.deadbeast.net/svn/xfree86/trunk/
> 
> specifically:
> 
>   http://necrotic.deadbeast.net/svn/xfree86/trunk/debian/changelog
> 
> Please go ahead and do the advisory for woody's xfree86 once you're ready.
> I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
> reason to expect that release to not fix CAN-2005-0609.

Understood.  Do you want me to write that it'll be fixed in 4.3.0.dfsg.1-13
or should I write that it will be fixed soon?

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#298939; Package xlibs. Full text and rfc822 format available.

Acknowledgement sent to Branden Robinson <branden@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #64 received at 298939@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: Debian Security Team <security@debian.org>
Cc: 298939@bugs.debian.org, 299272@bugs.debian.org
Subject: Re: Regarding xfree86 and CAN-2005-0609
Date: Fri, 6 May 2005 12:54:07 -0500
[Message part 1 (text/plain, inline)]
Joey,

You can write in the xfree86 DSA for CAN-2005-0609 that the sarge/sid
vulnerability will be fixed by xfree86 4.3.0.dfsg.1-13, which is currently
in preparation.

-- 
G. Branden Robinson                |      Never underestimate the power of
Debian GNU/Linux                   |      human stupidity.
branden@debian.org                 |      -- Robert Heinlein
http://people.debian.org/~branden/ |
[signature.asc (application/pgp-signature, inline)]

Reply sent to Branden Robinson <branden@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Branden Robinson <branden@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #69 received at 298939-close@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: 298939-close@bugs.debian.org
Subject: Bug#298939: fixed in xfree86 4.1.0-16woody6
Date: Mon, 09 May 2005 12:02:45 -0400
Source: xfree86
Source-Version: 4.1.0-16woody6

We believe that the bug you reported is fixed in the latest version of
xfree86, which is due to be installed in the Debian FTP archive:

lbxproxy_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/lbxproxy_4.1.0-16woody6_powerpc.deb
libdps-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps-dev_4.1.0-16woody6_powerpc.deb
libdps1-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps1-dbg_4.1.0-16woody6_powerpc.deb
libdps1_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps1_4.1.0-16woody6_powerpc.deb
libxaw6-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6-dbg_4.1.0-16woody6_powerpc.deb
libxaw6-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6-dev_4.1.0-16woody6_powerpc.deb
libxaw6_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6_4.1.0-16woody6_powerpc.deb
libxaw7-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7-dbg_4.1.0-16woody6_powerpc.deb
libxaw7-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7-dev_4.1.0-16woody6_powerpc.deb
libxaw7_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7_4.1.0-16woody6_powerpc.deb
proxymngr_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/proxymngr_4.1.0-16woody6_powerpc.deb
twm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/twm_4.1.0-16woody6_powerpc.deb
x-window-system-core_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/x-window-system-core_4.1.0-16woody6_powerpc.deb
x-window-system_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/x-window-system_4.1.0-16woody6_all.deb
xbase-clients_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xbase-clients_4.1.0-16woody6_powerpc.deb
xdm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xdm_4.1.0-16woody6_powerpc.deb
xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
xfonts-100dpi_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-100dpi_4.1.0-16woody6_all.deb
xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
xfonts-75dpi_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-75dpi_4.1.0-16woody6_all.deb
xfonts-base-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-base-transcoded_4.1.0-16woody6_all.deb
xfonts-base_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-base_4.1.0-16woody6_all.deb
xfonts-cyrillic_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-cyrillic_4.1.0-16woody6_all.deb
xfonts-pex_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-pex_4.1.0-16woody6_all.deb
xfonts-scalable_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-scalable_4.1.0-16woody6_all.deb
xfree86-common_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfree86-common_4.1.0-16woody6_all.deb
xfree86_4.1.0-16woody6.diff.gz
  to pool/main/x/xfree86/xfree86_4.1.0-16woody6.diff.gz
xfree86_4.1.0-16woody6.dsc
  to pool/main/x/xfree86/xfree86_4.1.0-16woody6.dsc
xfs_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xfs_4.1.0-16woody6_powerpc.deb
xfwp_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xfwp_4.1.0-16woody6_powerpc.deb
xlib6g-dev_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xlib6g-dev_4.1.0-16woody6_all.deb
xlib6g_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xlib6g_4.1.0-16woody6_all.deb
xlibmesa-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa-dev_4.1.0-16woody6_powerpc.deb
xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
xlibmesa3_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa3_4.1.0-16woody6_powerpc.deb
xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
xlibosmesa3_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa3_4.1.0-16woody6_powerpc.deb
xlibs-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-dbg_4.1.0-16woody6_powerpc.deb
xlibs-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-dev_4.1.0-16woody6_powerpc.deb
xlibs-pic_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-pic_4.1.0-16woody6_powerpc.deb
xlibs_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs_4.1.0-16woody6_powerpc.deb
xmh_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xmh_4.1.0-16woody6_powerpc.deb
xnest_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xnest_4.1.0-16woody6_powerpc.deb
xprt_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xprt_4.1.0-16woody6_powerpc.deb
xserver-common_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xserver-common_4.1.0-16woody6_powerpc.deb
xserver-xfree86_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xserver-xfree86_4.1.0-16woody6_powerpc.deb
xspecs_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xspecs_4.1.0-16woody6_all.deb
xterm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xterm_4.1.0-16woody6_powerpc.deb
xutils_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xutils_4.1.0-16woody6_powerpc.deb
xvfb_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xvfb_4.1.0-16woody6_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Branden Robinson <branden@debian.org> (supplier of updated xfree86 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Mar 2005 17:08:14 -0500
Source: xfree86
Binary: xserver-common xlibs-dev xfs xfree86-common xfonts-pex x-window-system xlibmesa-dev xspecs xlibmesa3 xfonts-cyrillic xlibmesa3-dbg xserver-xfree86 xlibs-dbg libxaw6 libxaw7 xterm xvfb xfonts-scalable xfonts-75dpi xlib6g proxymngr libxaw6-dev xlibs-pic libdps1-dbg xlib6g-dev xfonts-base xutils libxaw7-dev xnest xlibs libxaw6-dbg xmh lbxproxy libxaw7-dbg xfonts-base-transcoded xbase-clients xprt xlibosmesa3 x-window-system-core xlibosmesa-dev twm xfwp xfonts-100dpi-transcoded xlibosmesa3-dbg xfonts-100dpi xdm libdps-dev xfonts-75dpi-transcoded libdps1
Architecture: source all powerpc
Version: 4.1.0-16woody6
Distribution: stable-security
Urgency: high
Maintainer: Branden Robinson <branden@debian.org>
Changed-By: Branden Robinson <branden@debian.org>
Description: 
 lbxproxy   - Low Bandwidth X (LBX) proxy server
 libdps-dev - Display PostScript (DPS) client library development files
 libdps1    - Display PostScript (DPS) client library
 libdps1-dbg - Display PostScript (DPS) client library (unstripped)
 libxaw6    - X Athena widget set library (version 6)
 libxaw6-dbg - X Athena widget set library (version 6) (unstripped)
 libxaw6-dev - X Athena widget set library development files (version 6)
 libxaw7    - X Athena widget set library
 libxaw7-dbg - X Athena widget set library (unstripped)
 libxaw7-dev - X Athena widget set library development files
 proxymngr  - X proxy services manager
 twm        - Tab window manager
 x-window-system - X Window System
 x-window-system-core - X Window System core components
 xbase-clients - miscellaneous X clients
 xdm        - X display manager
 xfonts-100dpi - 100 dpi fonts for X
 xfonts-100dpi-transcoded - 100 dpi fonts for X (transcoded from ISO 10646-1)
 xfonts-75dpi - 75 dpi fonts for X
 xfonts-75dpi-transcoded - 75 dpi fonts for X (transcoded from ISO 10646-1)
 xfonts-base - standard fonts for X
 xfonts-base-transcoded - standard fonts for X (transcoded from ISO 10646-1)
 xfonts-cyrillic - Cyrillic fonts for X
 xfonts-pex - fonts for minimal PEX support in X
 xfonts-scalable - scalable fonts for X
 xfree86-common - X Window System (XFree86) infrastructure
 xfs        - X font server
 xfwp       - X firewall proxy server
 xlib6g     - pseudopackage providing X libraries
 xlib6g-dev - pseudopackage providing X library development files
 xlibmesa-dev - XFree86 version of Mesa 3D graphics library development files
 xlibmesa3  - XFree86 version of Mesa 3D graphics library
 xlibmesa3-dbg - XFree86 version of Mesa 3D graphics library (unstripped)
 xlibosmesa-dev - Mesa/XFree86 off-screen rendering library development files
 xlibosmesa3 - Mesa/XFree86 off-screen rendering library
 xlibosmesa3-dbg - Mesa/XFree86 off-screen rendering library (unstripped)
 xlibs      - X Window System client libraries
 xlibs-dbg  - X Window System client libraries (unstripped)
 xlibs-dev  - X Window System client library development files
 xlibs-pic  - X Window System client extension library PIC archives
 xmh        - X interface to the MH mail system
 xnest      - nested X server
 xprt       - X print server
 xserver-common - files and utilities common to all X servers
 xserver-xfree86 - the XFree86 X server
 xspecs     - X protocol, extension, and library technical specifications
 xterm      - X terminal emulator
 xutils     - X Window System utility programs
 xvfb       - virtual framebuffer X server
Closes: 298939
Changes: 
 xfree86 (4.1.0-16woody6) stable-security; urgency=high
 .
   * Security update release.  Resolves the following issue:
     + CAN-2005-0605: Xpm library's scan.c file may allow attackers to execute
       arbitrary code via a negative bitmap_unit value that leads to a buffer
       overflow.  (Closes: #298939)
 .
   * Update patch #076 (XPM library security fixes) to revert regressions in
     functionality caused by overly aggressive validation of filespec strings
     in OpenReadFile() and OpenWriteFile().  (Fixes #286164 for woody.)
Files: 
 008341b53216f4243930c7ab9eefee78 1512 x11 optional xfree86_4.1.0-16woody6.dsc
 30487abd663a975a939c91657964104d 1620968 x11 optional xfree86_4.1.0-16woody6.diff.gz
 7eaf6c70e8487b40326858efe9a6cede 141976 x11 optional lbxproxy_4.1.0-16woody6_powerpc.deb
 2c4328c9b53c408534f5b7e664f34de7 188518 libs optional libdps1_4.1.0-16woody6_powerpc.deb
 7426a90be3e1ab4521a0936c3fd97a9c 446608 devel extra libdps1-dbg_4.1.0-16woody6_powerpc.deb
 d027aec099ddc53fa7ca9e343c68163e 260638 devel optional libdps-dev_4.1.0-16woody6_powerpc.deb
 e71a3371682dc101956a645115629c83 179438 libs optional libxaw6_4.1.0-16woody6_powerpc.deb
 57afc54ca1cb13c8bf2dae55bb6a31ee 356790 devel extra libxaw6-dbg_4.1.0-16woody6_powerpc.deb
 d212615fe6cef3bdf1f6a1dbd43a7c99 331614 devel extra libxaw6-dev_4.1.0-16woody6_powerpc.deb
 a4ca4226ecaf53de53ffda14610951e5 233048 libs optional libxaw7_4.1.0-16woody6_powerpc.deb
 ae63ca1629e7fbd108e2ecf164e03834 469980 devel extra libxaw7-dbg_4.1.0-16woody6_powerpc.deb
 e4e0b7bdb0455877fe387ff8280cc90a 331488 devel optional libxaw7-dev_4.1.0-16woody6_powerpc.deb
 e6aa9713af00c7c807d54e6407e98b5a 77486 x11 optional proxymngr_4.1.0-16woody6_powerpc.deb
 a9f8e7cdb313665cef17e218f03652c3 160996 x11 optional twm_4.1.0-16woody6_powerpc.deb
 5be95fe04d680aa1f4717d0227a34f6c 1610486 x11 optional xbase-clients_4.1.0-16woody6_powerpc.deb
 fb26770ba4499739381d20bddd666f62 173028 x11 optional xdm_4.1.0-16woody6_powerpc.deb
 2d031eb29080b082ce1eef1ecd5b76d4 305306 x11 optional xfs_4.1.0-16woody6_powerpc.deb
 f77f6400d4bd0d192e5ae2c1d12e180d 82946 x11 optional xfwp_4.1.0-16woody6_powerpc.deb
 83f7194c6dab6d3b877120ed97113f8c 2449520 libs optional xlibmesa3_4.1.0-16woody6_powerpc.deb
 600c6ac00706439591e8459c65628b5c 924390 devel extra xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
 d8e0aadb5730ec7d21c81d06c56b78e3 606854 devel optional xlibmesa-dev_4.1.0-16woody6_powerpc.deb
 e607f4c0028644aca93f431944ad772a 530996 libs optional xlibosmesa3_4.1.0-16woody6_powerpc.deb
 e01430792026abc45d5db5f02de79f09 1088058 devel extra xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
 6e7183c6bce4dee1f4c5e42b89576b9b 623948 devel optional xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
 2fa3b758a4d1250f9c709caba2139eaf 1302626 libs optional xlibs_4.1.0-16woody6_powerpc.deb
 2b94a31e879892260d6acd0d0148cd77 2708050 devel extra xlibs-dbg_4.1.0-16woody6_powerpc.deb
 809d19f5c70c265ff4416091f53e0733 2987626 devel optional xlibs-dev_4.1.0-16woody6_powerpc.deb
 df6bdf9bd2172fdd47b7207130bb9d91 77190 devel optional xlibs-pic_4.1.0-16woody6_powerpc.deb
 6491f358a6a6b5ae76dfd5bf0c90bbbd 133036 mail extra xmh_4.1.0-16woody6_powerpc.deb
 af34c702efaa36f5539f7bd1fd367819 1580696 x11 optional xnest_4.1.0-16woody6_powerpc.deb
 581ddd926fa9aa1bf532947e0cd2a099 1275460 x11 optional xprt_4.1.0-16woody6_powerpc.deb
 e21b47ed2cdc09a6c6fbb58bc91ba58a 220136 x11 optional xserver-common_4.1.0-16woody6_powerpc.deb
 7c876bccbdbc7930687bbe3085b0d6fd 4618654 x11 optional xserver-xfree86_4.1.0-16woody6_powerpc.deb
 c327deb7b54d19021164e4c2d9eeea2a 493768 x11 optional xterm_4.1.0-16woody6_powerpc.deb
 15634dc9627f24087eb9c6f8aa12f12d 604882 x11 optional xutils_4.1.0-16woody6_powerpc.deb
 55eb652663a69e11c5b6fb21d4e66ad6 1709100 x11 optional xvfb_4.1.0-16woody6_powerpc.deb
 a099b36fdbf372132e8b07b39a6c75d1 60984 x11 optional x-window-system-core_4.1.0-16woody6_powerpc.deb
 ba27930aebe12207c6cc44ef44a87cdd 4442704 x11 optional xfonts-100dpi_4.1.0-16woody6_all.deb
 a69ba7cf04cd93648c57e92fe5d67fa1 8334022 x11 optional xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
 25cd64b4d052a7d1385be6ee9b372c01 3931950 x11 optional xfonts-75dpi_4.1.0-16woody6_all.deb
 0f0faa942f6df46ff5a38908f21db063 7226068 x11 optional xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
 365fb081b267cd113804dc5084f37fdf 5029172 x11 optional xfonts-base_4.1.0-16woody6_all.deb
 fdcef7a8e491ed8123de040769a8e6d3 1105448 x11 optional xfonts-base-transcoded_4.1.0-16woody6_all.deb
 fd9d3acaf63fa2a3b2f690a48a8a4a2b 438980 x11 optional xfonts-cyrillic_4.1.0-16woody6_all.deb
 30b4a4293af19e2686f66469514cd739 69324 x11 optional xfonts-pex_4.1.0-16woody6_all.deb
 5018c7dd32cc4f45d03e3129c43706d1 796742 x11 optional xfonts-scalable_4.1.0-16woody6_all.deb
 12473d63f53c71aae0f13b63cbc161c2 546908 x11 optional xfree86-common_4.1.0-16woody6_all.deb
 adfd6a36e51dbddd5bc5890027bab8f4 4165046 x11 optional xspecs_4.1.0-16woody6_all.deb
 84a188aabd59f70cae09e66601212fbe 60970 libs optional xlib6g_4.1.0-16woody6_all.deb
 7a75e5d70dc15331d3d14727eb61c05b 60770 devel optional xlib6g-dev_4.1.0-16woody6_all.deb
 08a53813d34d9a2e5e74454c5f7e7c53 60812 x11 optional x-window-system_4.1.0-16woody6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iEUEARECAAYFAkIxVDsACgkQ6kxmHytGonyUwwCgoBniOARuxLiJRDP+eLyPqdmN
LpcAl3EnBfn1Vml8uNAfGsGQk45EOj8=
=vueP
-----END PGP SIGNATURE-----




Message #70 received at 298939-close@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: 298939-close@bugs.debian.org
Subject: Bug#298939: fixed in xfree86 4.1.0-16woody6
Date: Tue, 31 May 2005 16:10:35 -0400
Source: xfree86
Source-Version: 4.1.0-16woody6

We believe that the bug you reported is fixed in the latest version of
xfree86, which is due to be installed in the Debian FTP archive:

lbxproxy_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/lbxproxy_4.1.0-16woody6_powerpc.deb
libdps-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps-dev_4.1.0-16woody6_powerpc.deb
libdps1-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps1-dbg_4.1.0-16woody6_powerpc.deb
libdps1_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libdps1_4.1.0-16woody6_powerpc.deb
libxaw6-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6-dbg_4.1.0-16woody6_powerpc.deb
libxaw6-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6-dev_4.1.0-16woody6_powerpc.deb
libxaw6_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw6_4.1.0-16woody6_powerpc.deb
libxaw7-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7-dbg_4.1.0-16woody6_powerpc.deb
libxaw7-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7-dev_4.1.0-16woody6_powerpc.deb
libxaw7_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/libxaw7_4.1.0-16woody6_powerpc.deb
proxymngr_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/proxymngr_4.1.0-16woody6_powerpc.deb
twm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/twm_4.1.0-16woody6_powerpc.deb
x-window-system-core_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/x-window-system-core_4.1.0-16woody6_powerpc.deb
x-window-system_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/x-window-system_4.1.0-16woody6_all.deb
xbase-clients_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xbase-clients_4.1.0-16woody6_powerpc.deb
xdm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xdm_4.1.0-16woody6_powerpc.deb
xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
xfonts-100dpi_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-100dpi_4.1.0-16woody6_all.deb
xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
xfonts-75dpi_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-75dpi_4.1.0-16woody6_all.deb
xfonts-base-transcoded_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-base-transcoded_4.1.0-16woody6_all.deb
xfonts-base_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-base_4.1.0-16woody6_all.deb
xfonts-cyrillic_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-cyrillic_4.1.0-16woody6_all.deb
xfonts-pex_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-pex_4.1.0-16woody6_all.deb
xfonts-scalable_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfonts-scalable_4.1.0-16woody6_all.deb
xfree86-common_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xfree86-common_4.1.0-16woody6_all.deb
xfree86_4.1.0-16woody6.diff.gz
  to pool/main/x/xfree86/xfree86_4.1.0-16woody6.diff.gz
xfree86_4.1.0-16woody6.dsc
  to pool/main/x/xfree86/xfree86_4.1.0-16woody6.dsc
xfs_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xfs_4.1.0-16woody6_powerpc.deb
xfwp_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xfwp_4.1.0-16woody6_powerpc.deb
xlib6g-dev_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xlib6g-dev_4.1.0-16woody6_all.deb
xlib6g_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xlib6g_4.1.0-16woody6_all.deb
xlibmesa-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa-dev_4.1.0-16woody6_powerpc.deb
xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
xlibmesa3_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibmesa3_4.1.0-16woody6_powerpc.deb
xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
xlibosmesa3_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibosmesa3_4.1.0-16woody6_powerpc.deb
xlibs-dbg_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-dbg_4.1.0-16woody6_powerpc.deb
xlibs-dev_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-dev_4.1.0-16woody6_powerpc.deb
xlibs-pic_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs-pic_4.1.0-16woody6_powerpc.deb
xlibs_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xlibs_4.1.0-16woody6_powerpc.deb
xmh_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xmh_4.1.0-16woody6_powerpc.deb
xnest_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xnest_4.1.0-16woody6_powerpc.deb
xprt_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xprt_4.1.0-16woody6_powerpc.deb
xserver-common_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xserver-common_4.1.0-16woody6_powerpc.deb
xserver-xfree86_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xserver-xfree86_4.1.0-16woody6_powerpc.deb
xspecs_4.1.0-16woody6_all.deb
  to pool/main/x/xfree86/xspecs_4.1.0-16woody6_all.deb
xterm_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xterm_4.1.0-16woody6_powerpc.deb
xutils_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xutils_4.1.0-16woody6_powerpc.deb
xvfb_4.1.0-16woody6_powerpc.deb
  to pool/main/x/xfree86/xvfb_4.1.0-16woody6_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Branden Robinson <branden@debian.org> (supplier of updated xfree86 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Mar 2005 17:08:14 -0500
Source: xfree86
Binary: xserver-common xlibs-dev xfs xfree86-common xfonts-pex x-window-system xlibmesa-dev xspecs xlibmesa3 xfonts-cyrillic xlibmesa3-dbg xserver-xfree86 xlibs-dbg libxaw6 libxaw7 xterm xvfb xfonts-scalable xfonts-75dpi xlib6g proxymngr libxaw6-dev xlibs-pic libdps1-dbg xlib6g-dev xfonts-base xutils libxaw7-dev xnest xlibs libxaw6-dbg xmh lbxproxy libxaw7-dbg xfonts-base-transcoded xbase-clients xprt xlibosmesa3 x-window-system-core xlibosmesa-dev twm xfwp xfonts-100dpi-transcoded xlibosmesa3-dbg xfonts-100dpi xdm libdps-dev xfonts-75dpi-transcoded libdps1
Architecture: source all powerpc
Version: 4.1.0-16woody6
Distribution: stable-security
Urgency: high
Maintainer: Branden Robinson <branden@debian.org>
Changed-By: Branden Robinson <branden@debian.org>
Description: 
 lbxproxy   - Low Bandwidth X (LBX) proxy server
 libdps-dev - Display PostScript (DPS) client library development files
 libdps1    - Display PostScript (DPS) client library
 libdps1-dbg - Display PostScript (DPS) client library (unstripped)
 libxaw6    - X Athena widget set library (version 6)
 libxaw6-dbg - X Athena widget set library (version 6) (unstripped)
 libxaw6-dev - X Athena widget set library development files (version 6)
 libxaw7    - X Athena widget set library
 libxaw7-dbg - X Athena widget set library (unstripped)
 libxaw7-dev - X Athena widget set library development files
 proxymngr  - X proxy services manager
 twm        - Tab window manager
 x-window-system - X Window System
 x-window-system-core - X Window System core components
 xbase-clients - miscellaneous X clients
 xdm        - X display manager
 xfonts-100dpi - 100 dpi fonts for X
 xfonts-100dpi-transcoded - 100 dpi fonts for X (transcoded from ISO 10646-1)
 xfonts-75dpi - 75 dpi fonts for X
 xfonts-75dpi-transcoded - 75 dpi fonts for X (transcoded from ISO 10646-1)
 xfonts-base - standard fonts for X
 xfonts-base-transcoded - standard fonts for X (transcoded from ISO 10646-1)
 xfonts-cyrillic - Cyrillic fonts for X
 xfonts-pex - fonts for minimal PEX support in X
 xfonts-scalable - scalable fonts for X
 xfree86-common - X Window System (XFree86) infrastructure
 xfs        - X font server
 xfwp       - X firewall proxy server
 xlib6g     - pseudopackage providing X libraries
 xlib6g-dev - pseudopackage providing X library development files
 xlibmesa-dev - XFree86 version of Mesa 3D graphics library development files
 xlibmesa3  - XFree86 version of Mesa 3D graphics library
 xlibmesa3-dbg - XFree86 version of Mesa 3D graphics library (unstripped)
 xlibosmesa-dev - Mesa/XFree86 off-screen rendering library development files
 xlibosmesa3 - Mesa/XFree86 off-screen rendering library
 xlibosmesa3-dbg - Mesa/XFree86 off-screen rendering library (unstripped)
 xlibs      - X Window System client libraries
 xlibs-dbg  - X Window System client libraries (unstripped)
 xlibs-dev  - X Window System client library development files
 xlibs-pic  - X Window System client extension library PIC archives
 xmh        - X interface to the MH mail system
 xnest      - nested X server
 xprt       - X print server
 xserver-common - files and utilities common to all X servers
 xserver-xfree86 - the XFree86 X server
 xspecs     - X protocol, extension, and library technical specifications
 xterm      - X terminal emulator
 xutils     - X Window System utility programs
 xvfb       - virtual framebuffer X server
Closes: 298939
Changes: 
 xfree86 (4.1.0-16woody6) stable-security; urgency=high
 .
   * Security update release.  Resolves the following issue:
     + CAN-2005-0605: Xpm library's scan.c file may allow attackers to execute
       arbitrary code via a negative bitmap_unit value that leads to a buffer
       overflow.  (Closes: #298939)
 .
   * Update patch #076 (XPM library security fixes) to revert regressions in
     functionality caused by overly aggressive validation of filespec strings
     in OpenReadFile() and OpenWriteFile().  (Fixes #286164 for woody.)
Files: 
 008341b53216f4243930c7ab9eefee78 1512 x11 optional xfree86_4.1.0-16woody6.dsc
 30487abd663a975a939c91657964104d 1620968 x11 optional xfree86_4.1.0-16woody6.diff.gz
 7eaf6c70e8487b40326858efe9a6cede 141976 x11 optional lbxproxy_4.1.0-16woody6_powerpc.deb
 2c4328c9b53c408534f5b7e664f34de7 188518 libs optional libdps1_4.1.0-16woody6_powerpc.deb
 7426a90be3e1ab4521a0936c3fd97a9c 446608 devel extra libdps1-dbg_4.1.0-16woody6_powerpc.deb
 d027aec099ddc53fa7ca9e343c68163e 260638 devel optional libdps-dev_4.1.0-16woody6_powerpc.deb
 e71a3371682dc101956a645115629c83 179438 libs optional libxaw6_4.1.0-16woody6_powerpc.deb
 57afc54ca1cb13c8bf2dae55bb6a31ee 356790 devel extra libxaw6-dbg_4.1.0-16woody6_powerpc.deb
 d212615fe6cef3bdf1f6a1dbd43a7c99 331614 devel extra libxaw6-dev_4.1.0-16woody6_powerpc.deb
 a4ca4226ecaf53de53ffda14610951e5 233048 libs optional libxaw7_4.1.0-16woody6_powerpc.deb
 ae63ca1629e7fbd108e2ecf164e03834 469980 devel extra libxaw7-dbg_4.1.0-16woody6_powerpc.deb
 e4e0b7bdb0455877fe387ff8280cc90a 331488 devel optional libxaw7-dev_4.1.0-16woody6_powerpc.deb
 e6aa9713af00c7c807d54e6407e98b5a 77486 x11 optional proxymngr_4.1.0-16woody6_powerpc.deb
 a9f8e7cdb313665cef17e218f03652c3 160996 x11 optional twm_4.1.0-16woody6_powerpc.deb
 5be95fe04d680aa1f4717d0227a34f6c 1610486 x11 optional xbase-clients_4.1.0-16woody6_powerpc.deb
 fb26770ba4499739381d20bddd666f62 173028 x11 optional xdm_4.1.0-16woody6_powerpc.deb
 2d031eb29080b082ce1eef1ecd5b76d4 305306 x11 optional xfs_4.1.0-16woody6_powerpc.deb
 f77f6400d4bd0d192e5ae2c1d12e180d 82946 x11 optional xfwp_4.1.0-16woody6_powerpc.deb
 83f7194c6dab6d3b877120ed97113f8c 2449520 libs optional xlibmesa3_4.1.0-16woody6_powerpc.deb
 600c6ac00706439591e8459c65628b5c 924390 devel extra xlibmesa3-dbg_4.1.0-16woody6_powerpc.deb
 d8e0aadb5730ec7d21c81d06c56b78e3 606854 devel optional xlibmesa-dev_4.1.0-16woody6_powerpc.deb
 e607f4c0028644aca93f431944ad772a 530996 libs optional xlibosmesa3_4.1.0-16woody6_powerpc.deb
 e01430792026abc45d5db5f02de79f09 1088058 devel extra xlibosmesa3-dbg_4.1.0-16woody6_powerpc.deb
 6e7183c6bce4dee1f4c5e42b89576b9b 623948 devel optional xlibosmesa-dev_4.1.0-16woody6_powerpc.deb
 2fa3b758a4d1250f9c709caba2139eaf 1302626 libs optional xlibs_4.1.0-16woody6_powerpc.deb
 2b94a31e879892260d6acd0d0148cd77 2708050 devel extra xlibs-dbg_4.1.0-16woody6_powerpc.deb
 809d19f5c70c265ff4416091f53e0733 2987626 devel optional xlibs-dev_4.1.0-16woody6_powerpc.deb
 df6bdf9bd2172fdd47b7207130bb9d91 77190 devel optional xlibs-pic_4.1.0-16woody6_powerpc.deb
 6491f358a6a6b5ae76dfd5bf0c90bbbd 133036 mail extra xmh_4.1.0-16woody6_powerpc.deb
 af34c702efaa36f5539f7bd1fd367819 1580696 x11 optional xnest_4.1.0-16woody6_powerpc.deb
 581ddd926fa9aa1bf532947e0cd2a099 1275460 x11 optional xprt_4.1.0-16woody6_powerpc.deb
 e21b47ed2cdc09a6c6fbb58bc91ba58a 220136 x11 optional xserver-common_4.1.0-16woody6_powerpc.deb
 7c876bccbdbc7930687bbe3085b0d6fd 4618654 x11 optional xserver-xfree86_4.1.0-16woody6_powerpc.deb
 c327deb7b54d19021164e4c2d9eeea2a 493768 x11 optional xterm_4.1.0-16woody6_powerpc.deb
 15634dc9627f24087eb9c6f8aa12f12d 604882 x11 optional xutils_4.1.0-16woody6_powerpc.deb
 55eb652663a69e11c5b6fb21d4e66ad6 1709100 x11 optional xvfb_4.1.0-16woody6_powerpc.deb
 a099b36fdbf372132e8b07b39a6c75d1 60984 x11 optional x-window-system-core_4.1.0-16woody6_powerpc.deb
 ba27930aebe12207c6cc44ef44a87cdd 4442704 x11 optional xfonts-100dpi_4.1.0-16woody6_all.deb
 a69ba7cf04cd93648c57e92fe5d67fa1 8334022 x11 optional xfonts-100dpi-transcoded_4.1.0-16woody6_all.deb
 25cd64b4d052a7d1385be6ee9b372c01 3931950 x11 optional xfonts-75dpi_4.1.0-16woody6_all.deb
 0f0faa942f6df46ff5a38908f21db063 7226068 x11 optional xfonts-75dpi-transcoded_4.1.0-16woody6_all.deb
 365fb081b267cd113804dc5084f37fdf 5029172 x11 optional xfonts-base_4.1.0-16woody6_all.deb
 fdcef7a8e491ed8123de040769a8e6d3 1105448 x11 optional xfonts-base-transcoded_4.1.0-16woody6_all.deb
 fd9d3acaf63fa2a3b2f690a48a8a4a2b 438980 x11 optional xfonts-cyrillic_4.1.0-16woody6_all.deb
 30b4a4293af19e2686f66469514cd739 69324 x11 optional xfonts-pex_4.1.0-16woody6_all.deb
 5018c7dd32cc4f45d03e3129c43706d1 796742 x11 optional xfonts-scalable_4.1.0-16woody6_all.deb
 12473d63f53c71aae0f13b63cbc161c2 546908 x11 optional xfree86-common_4.1.0-16woody6_all.deb
 adfd6a36e51dbddd5bc5890027bab8f4 4165046 x11 optional xspecs_4.1.0-16woody6_all.deb
 84a188aabd59f70cae09e66601212fbe 60970 libs optional xlib6g_4.1.0-16woody6_all.deb
 7a75e5d70dc15331d3d14727eb61c05b 60770 devel optional xlib6g-dev_4.1.0-16woody6_all.deb
 08a53813d34d9a2e5e74454c5f7e7c53 60812 x11 optional x-window-system_4.1.0-16woody6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iEUEARECAAYFAkIxVDsACgkQ6kxmHytGonyUwwCgoBniOARuxLiJRDP+eLyPqdmN
LpcAl3EnBfn1Vml8uNAfGsGQk45EOj8=
=vueP
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:58:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.