Debian Bug report logs - #354464
[CVE-2006-0876] popfile remote DoS

version graph

Package: popfile; Maintainer for popfile is Lucas Wall <lwall@debian.org>;

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sun, 26 Feb 2006 15:48:16 UTC

Severity: important

Tags: patch, security

Fixed in version popfile/0.22.4-1

Done: Lucas Wall <lwall@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Lucas Wall <lwall@debian.org>:
Bug#354464; Package popfile. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Lucas Wall <lwall@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CVE-2006-0876] popfile remote DoS
Date: Sun, 26 Feb 2006 16:14:54 +0100
Package: popfile
Severity: grave
Tags: security

Cite:
POPFile before 0.22.4 allows remote attackers to cause a denial of
service (application crash) via unspecified vectors involving
character sets within e-mail messages.

see also
http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4

Please quote the CVE number in the Changelog



Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Lucas Wall <lwall@debian.org>:
Bug#354464; Package popfile. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Lucas Wall <lwall@debian.org>. Full text and rfc822 format available.

Message #12 received at submit@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Stefan Fritsch <sf@sfritsch.de>
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#354464: [CVE-2006-0876] popfile remote DoS
Date: Thu, 2 Mar 2006 00:25:38 +0100
[Message part 1 (text/plain, inline)]
Stefan Fritsch wrote:
> Package: popfile
> Severity: grave
> Tags: security
> 
> Cite:
> POPFile before 0.22.4 allows remote attackers to cause a denial of
> service (application crash) via unspecified vectors involving
> character sets within e-mail messages.
> 
> see also
> http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4
> 
> Please quote the CVE number in the Changelog

It seems that the relevant fix is what I'm attaching to this mail.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.
[patch.part002 (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Lucas Wall <lwall@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Lucas Wall <lwall@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 354464-close@bugs.debian.org (full text, mbox):

From: Lucas Wall <lwall@debian.org>
To: 354464-close@bugs.debian.org
Subject: Bug#354464: fixed in popfile 0.22.4-1
Date: Wed, 01 Mar 2006 18:17:06 -0800
Source: popfile
Source-Version: 0.22.4-1

We believe that the bug you reported is fixed in the latest version of
popfile, which is due to be installed in the Debian FTP archive:

popfile_0.22.4-1.diff.gz
  to pool/main/p/popfile/popfile_0.22.4-1.diff.gz
popfile_0.22.4-1.dsc
  to pool/main/p/popfile/popfile_0.22.4-1.dsc
popfile_0.22.4-1_all.deb
  to pool/main/p/popfile/popfile_0.22.4-1_all.deb
popfile_0.22.4.orig.tar.gz
  to pool/main/p/popfile/popfile_0.22.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 354464@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lucas Wall <lwall@debian.org> (supplier of updated popfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  1 Mar 2006 22:29:05 -0300
Source: popfile
Binary: popfile
Architecture: source all
Version: 0.22.4-1
Distribution: unstable
Urgency: low
Maintainer: Lucas Wall <lwall@debian.org>
Changed-By: Lucas Wall <lwall@debian.org>
Description: 
 popfile    - email classification tool
Closes: 309231 316978 344004 354464
Changes: 
 popfile (0.22.4-1) unstable; urgency=low
 .
   * New upstream release
   * Fixed DOS attack via unspecified vectors involving character sets
     within e-mail messages. [CVE-2006-0876] (closes: #354464)
   * Vietnamese debconf template translation. (closes: #316978)
   * Czech debconf template translation. (closes: #309231)
   * Swedish debconf template translation. (closes: #344004)
Files: 
 5b61c8e3a847952af835c905939a7b30 577 mail optional popfile_0.22.4-1.dsc
 3771d0b6a65fe924564b977d95d1343d 1499418 mail optional popfile_0.22.4.orig.tar.gz
 a45fe564ea540f31d662357c87ee6e66 15740 mail optional popfile_0.22.4-1.diff.gz
 888632e6a1c65d95cb14cb6a2d88f97b 1487344 mail optional popfile_0.22.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEBlI9vJtHM4T7RtYRAlABAJ9c5qPVGETn5rE7XIVdYDmGfJ9k8ACgmMfj
mE18IoxYjt3XMi8R13Cw5Yk=
=CQiR
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#354464; Package popfile. Full text and rfc822 format available.

Acknowledgement sent to Lucas Wall <lwall@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #24 received at 354464@bugs.debian.org (full text, mbox):

From: Lucas Wall <lwall@debian.org>
To: Martin Schulze <joey@infodrom.org>, 354464@bugs.debian.org
Subject: Re: Bug#354464: [CVE-2006-0876] popfile remote DoS
Date: Thu, 02 Mar 2006 09:53:29 -0300
[Message part 1 (text/plain, inline)]
On 03/01/2006 08:25 PM, Martin Schulze wrote:
> Stefan Fritsch wrote:
> 
>>Package: popfile
>>Severity: grave
>>Tags: security
>>
>>Cite:
>>POPFile before 0.22.4 allows remote attackers to cause a denial of
>>service (application crash) via unspecified vectors involving
>>character sets within e-mail messages.
>>
>>see also
>>http://popfile.sourceforge.net/cgi-bin/wiki.pl?ReleaseNotes/0.22.4
>>
>>Please quote the CVE number in the Changelog
> 
> 
> It seems that the relevant fix is what I'm attaching to this mail.

The patch looks good. I've already uploaded the new upstream version
that fixes the problem to unstable. Can I do anything to assist the
security team with the other upload?

K.-

-- 
Lucas Wall <kthulhu@kadath.com.ar>      .''`.
Buenos Aires, Argentina                : :ΓΈ :   Debian GNU/Linux
http://www.kadath.com.ar               `. `'  http://www.debian.org
PGP: 1024D/84FB46D6                      `-
     5D25 528A 83AB 489B 356A        http://people.debian.org/~lwall
     4087 BC9B 4733 84FB 46D6        mailto:lwall@debian.org

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 05:52:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:24:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.