Debian Bug report logs - #318069
[CAN-2005-2096] sash contains statically linked copy of zlib

version graph

Package: sash; Maintainer for sash is Tollef Fog Heen <tfheen@debian.org>; Source for sash is src:sash.

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Wed, 13 Jul 2005 08:48:06 UTC

Severity: normal

Tags: security

Found in version 3.7-5

Fixed in version sash/3.7-6

Done: Tollef Fog Heen <tfheen@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#318069; Package sash. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2005-2096] sash contains statically linked copy of zlib
Date: Wed, 13 Jul 2005 10:40:54 +0200
Package: sash
Version: 3.7-5
Severity: normal
Tags: security

/bin/sash seems to contain a statically linked copy of zlib (version
1.2.2).  Please check, and if necessary, advise the security team if an
update for the stable distribution is required.



Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#318069; Package sash. Full text and rfc822 format available.

Acknowledgement sent to Tollef Fog Heen <tfheen@err.no>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #10 received at 318069@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@err.no>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 318069@bugs.debian.org, security@debian.org
Subject: Re: Bug#318069: [CAN-2005-2096] sash contains statically linked copy of zlib
Date: Thu, 14 Jul 2005 12:21:06 +0200
clone 318069 -1
tags -1 + sarge 
kthxbye

* Florian Weimer 

| /bin/sash seems to contain a statically linked copy of zlib (version
| 1.2.2).  Please check, and if necessary, advise the security team if an
| update for the stable distribution is required.

It appears it will need an update for stable.  

I'm going to make an upload for unstable with tightened build-deps
(sash doesn't have an embedded copy of zlib, just a statically linked
version).  It would be nice if the security team could do the same for
stable.  (And close the cloned bug in that upload.)

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-  



Bug 318069 cloned as bug 318246. Request was from Tollef Fog Heen <tfheen@err.no> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#318069; Package sash. Full text and rfc822 format available.

Acknowledgement sent to Michael Stone <mstone@debian.org>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #17 received at 318069@bugs.debian.org (full text, mbox):

From: Michael Stone <mstone@debian.org>
To: Tollef Fog Heen <tfheen@err.no>
Cc: 318069@bugs.debian.org, security@debian.org
Subject: Re: Bug#318069: [CAN-2005-2096] sash contains statically linked copy of zlib
Date: Thu, 14 Jul 2005 06:27:42 -0400
On Thu, Jul 14, 2005 at 12:21:06PM +0200, Tollef Fog Heen wrote:
>| /bin/sash seems to contain a statically linked copy of zlib (version
>| 1.2.2).  Please check, and if necessary, advise the security team if an
>| update for the stable distribution is required.
>
>It appears it will need an update for stable.  
>
>I'm going to make an upload for unstable with tightened build-deps
>(sash doesn't have an embedded copy of zlib, just a statically linked
>version).  It would be nice if the security team could do the same for
>stable.  (And close the cloned bug in that upload.)

What's the security risk? How does sash use zlib?

Mike Stone



Reply sent to Tollef Fog Heen <tfheen@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 318069-close@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@debian.org>
To: 318069-close@bugs.debian.org
Subject: Bug#318069: fixed in sash 3.7-6
Date: Thu, 14 Jul 2005 07:17:08 -0400
Source: sash
Source-Version: 3.7-6

We believe that the bug you reported is fixed in the latest version of
sash, which is due to be installed in the Debian FTP archive:

sash_3.7-6.diff.gz
  to pool/main/s/sash/sash_3.7-6.diff.gz
sash_3.7-6.dsc
  to pool/main/s/sash/sash_3.7-6.dsc
sash_3.7-6_i386.deb
  to pool/main/s/sash/sash_3.7-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 318069@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tollef Fog Heen <tfheen@debian.org> (supplier of updated sash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 14 Jul 2005 12:33:51 +0200
Source: sash
Binary: sash
Architecture: source i386
Version: 3.7-6
Distribution: unstable
Urgency: high
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Changed-By: Tollef Fog Heen <tfheen@debian.org>
Description: 
 sash       - Stand-alone shell
Closes: 294777 317886 318069
Changes: 
 sash (3.7-6) unstable; urgency=high
 .
   * Tighten zlib build-deps to fix security issue (closes: #318069)
   * Add Czech debconf translation (closes: #294777)
   * Add Vietnamese debconf translation (closes: #317886)
Files: 
 909700d18f0c29bc98d98f74a82f06bb 604 shells optional sash_3.7-6.dsc
 be7e259e2c54d90de38b774cf48da1a0 14770 shells optional sash_3.7-6.diff.gz
 d8c389f6ea161a86d41c60679b87ddca 280938 shells optional sash_3.7-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1kGKQSseMYF6mWoRAuQtAKCwWaI/EaeJ4Pshr6RERi8nep8HzwCg4pSu
3hwI/ALVr+p1FtRkBjMIoS8=
=83UO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>:
Bug#318069; Package sash. Full text and rfc822 format available.

Acknowledgement sent to Tollef Fog Heen <tfheen@err.no>:
Extra info received and forwarded to list. Copy sent to Tollef Fog Heen <tfheen@debian.org>. Full text and rfc822 format available.

Message #27 received at 318069@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@err.no>
To: 318069@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#318069: [CAN-2005-2096] sash contains statically linked copy of zlib
Date: Thu, 14 Jul 2005 14:33:23 +0200
* Michael Stone 

| On Thu, Jul 14, 2005 at 12:21:06PM +0200, Tollef Fog Heen wrote:
| >| /bin/sash seems to contain a statically linked copy of zlib (version
| >| 1.2.2).  Please check, and if necessary, advise the security team if an
| >| update for the stable distribution is required.
| >
| > It appears it will need an update for stable.
| >
| >I'm going to make an upload for unstable with tightened build-deps
| >(sash doesn't have an embedded copy of zlib, just a statically linked
| >version).  It would be nice if the security team could do the same for
| >stable.  (And close the cloned bug in that upload.)
| 
| What's the security risk? How does sash use zlib?

It has a built-in gzip/gunzip command.

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-  



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 09:39:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 10:57:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.