Debian Bug report logs - #330364
helix-player: Helix Player Remote Format String Exploit

version graph

Package: helix-player; Maintainer for helix-player is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Tue, 27 Sep 2005 18:48:02 UTC

Severity: grave

Tags: security

Fixed in version helix-player/1.0.6-1

Done: Daniel Baumann <daniel.baumann@panthera-systems.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: helix-player: Helix Player Remote Format String Exploit
Date: Tue, 27 Sep 2005 20:32:38 +0200
Package: helix-player
Severity: grave
Tags: security
Justification: user security hole

According to http://www.open-security.org/advisories/13, there is
another remote vulnerability in helix player.



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.3-k1
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #10 received at 330364@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: Stefan Fritsch <sf@sfritsch.de>, 330364@bugs.debian.org
Subject: Re: Bug#330364: helix-player: Helix Player Remote Format String Exploit
Date: Tue, 27 Sep 2005 20:50:44 +0200
This will be helix-player 1.0.6, but that is not public available atm.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #15 received at 330364@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 330364@bugs.debian.org
Subject: Re: Bug#330364: helix-player: Helix Player Remote Format String Exploit
Date: Tue, 27 Sep 2005 14:55:10 -0400
[Message part 1 (text/plain, inline)]
On Tue, Sep 27, 2005 at 08:32:38PM +0200, Stefan Fritsch wrote:
> According to http://www.open-security.org/advisories/13, there is
> another remote vulnerability in helix player.

Acknowledged.  Is there any word about a fix?

noah

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #20 received at 330364@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: Noah Meyerhans <noahm@debian.org>, 330364@bugs.debian.org
Subject: Re: Bug#330364: helix-player: Helix Player Remote Format String Exploit
Date: Tue, 27 Sep 2005 21:09:50 +0200
Noah Meyerhans wrote:
> Acknowledged.  Is there any word about a fix?

There will be a fixed version, called 1.0.6. As soon as it is available,
I will prepare a fixed package both for sid and sarge.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #25 received at 330364@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 330364@bugs.debian.org
Cc: Noah Meyerhans <noahm@debian.org>
Subject: Helix Player 1.0.6
Date: Thu, 29 Sep 2005 13:05:22 +0200
Helix Player 1.0.6 does fix the mentioned security problem.

Because Noah said he will prepare the stable-security package (and
packages by me seems not to be considered), I only made the package for
sid so far.

It is in the usual place at
http://archive.daniel-baumann.ch/debian/packages/helix-player/ and will
be uploaded today.

For sarge: As usual, there is no broken-out patch available, so one have
to pull it oneself from the 1.0.6 tarball.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #30 received at 330364@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: Daniel Baumann <daniel.baumann@panthera-systems.net>
Cc: 330364@bugs.debian.org
Subject: Re: Helix Player 1.0.6
Date: Thu, 29 Sep 2005 08:53:53 -0400
[Message part 1 (text/plain, inline)]
On Thu, Sep 29, 2005 at 01:05:22PM +0200, Daniel Baumann wrote:
> For sarge: As usual, there is no broken-out patch available, so one have
> to pull it oneself from the 1.0.6 tarball.

I've already done it.  The packages are built and the advisory is on its
way.

noah

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@panthera-systems.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #35 received at 330364@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: Noah Meyerhans <noahm@debian.org>
Cc: 330364@bugs.debian.org
Subject: Re: Helix Player 1.0.6
Date: Thu, 29 Sep 2005 14:59:45 +0200
Noah Meyerhans wrote:
> I've already done it.  The packages are built and the advisory is on its
> way.

Thank you.

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Reply sent to Daniel Baumann <daniel.baumann@panthera-systems.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 330364-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@panthera-systems.net>
To: 330364-close@bugs.debian.org
Subject: Bug#330364: fixed in helix-player 1.0.6-1
Date: Thu, 29 Sep 2005 08:17:17 -0700
Source: helix-player
Source-Version: 1.0.6-1

We believe that the bug you reported is fixed in the latest version of
helix-player, which is due to be installed in the Debian FTP archive:

helix-player_1.0.6-1.diff.gz
  to pool/main/h/helix-player/helix-player_1.0.6-1.diff.gz
helix-player_1.0.6-1.dsc
  to pool/main/h/helix-player/helix-player_1.0.6-1.dsc
helix-player_1.0.6-1_i386.deb
  to pool/main/h/helix-player/helix-player_1.0.6-1_i386.deb
helix-player_1.0.6.orig.tar.gz
  to pool/main/h/helix-player/helix-player_1.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 330364@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@panthera-systems.net> (supplier of updated helix-player package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thr, 29 Sep 2005 11:39:00 +0200
Source: helix-player
Binary: helix-player
Architecture: source i386
Version: 1.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@panthera-systems.net>
Changed-By: Daniel Baumann <daniel.baumann@panthera-systems.net>
Description: 
 helix-player - The Helix Community's open source media player
Closes: 330364
Changes: 
 helix-player (1.0.6-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes security problems addressed in CAN-2005-2170 (Closes: #330364).
Files: 
 09d324e9f9ec81927e5bbf8d9f62aa13 967 graphics optional helix-player_1.0.6-1.dsc
 788928c4a8dc183fd5d994ecb7fefa57 18229003 graphics optional helix-player_1.0.6.orig.tar.gz
 6054c1c14b2d729bb020fd0be7a55ac6 7568 graphics optional helix-player_1.0.6-1.diff.gz
 7af65436f485b6ecb02c19fc8dd07573 4208756 graphics optional helix-player_1.0.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkM7/bEACgkQELuA/Ba9d8a1AwCfVxKGLbwoFXMmKZ53236oD5x6
HA8AoMCdH2TKTnlMdlXkYjCEDKEaqSUB
=rVsO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#330364; Package helix-player. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #45 received at 330364@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 330364@bugs.debian.org
Subject: Helix Player Remote Format String Exploit
Date: Wed, 19 Oct 2005 22:25:59 +0200
* Debian Bug Tracking System:
>    * New upstream release:
>      - fixes security problems addressed in CAN-2005-2170 (Closes: #330364).

This CAN is incorrect, the correct one is CAN-2005-2710.  Please fix
the changelog in the next upload.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 05:45:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:07:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.