Debian Bug report logs - #368400
motor: CVE-2005-3863: stack-based buffer overflow

version graph

Package: motor; Maintainer for motor is (unknown);

Reported by: Alec Berryman <alec@thened.net>

Date: Sun, 21 May 2006 22:03:21 UTC

Severity: important

Tags: patch, security

Fixed in version motor/2:3.4.0-6

Done: Krzysztof Krzyzaniak (eloy) <eloy@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Krzysztof Krzyzaniak (eloy) <eloy@debian.org>:
Bug#368400; Package motor. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Krzysztof Krzyzaniak (eloy) <eloy@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: motor: CVE-2005-3863: stack-based buffer overflow
Date: Sun, 21 May 2006 22:21:38 +0100
Package: motor
Severity: important
Tags: security patch

CVE-2005-3863: "Stack-based buffer overflow in kkstrtext.h in ktools
library 0.3 and earlier, as used in products such as (1) centericq, (2)
orpheus, (3) motor, and (4) groan, allows local users or remote
attackers to execute arbitrary code via a long parameter to the
VGETSTRING macro."

The affected macro is VGETSTRING, which is used by (among others)
treeview::addleaff in kkconsui/src/treeview.cc, which is used by (among
others) src/ui/ncurses/uivcs.cc.

This issue appears to affect motor in woody and sarge.

A patch may be found in #340959 [1].  Please mention the CVE in your
changelog.

Thanks,

Alec

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340959



Reply sent to Krzysztof Krzyzaniak (eloy) <eloy@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 368400-close@bugs.debian.org (full text, mbox):

From: Krzysztof Krzyzaniak (eloy) <eloy@debian.org>
To: 368400-close@bugs.debian.org
Subject: Bug#368400: fixed in motor 2:3.4.0-6
Date: Mon, 22 May 2006 02:17:15 -0700
Source: motor
Source-Version: 2:3.4.0-6

We believe that the bug you reported is fixed in the latest version of
motor, which is due to be installed in the Debian FTP archive:

motor-common_3.4.0-6_all.deb
  to pool/main/m/motor/motor-common_3.4.0-6_all.deb
motor-fribidi_3.4.0-6_i386.deb
  to pool/main/m/motor/motor-fribidi_3.4.0-6_i386.deb
motor_3.4.0-6.diff.gz
  to pool/main/m/motor/motor_3.4.0-6.diff.gz
motor_3.4.0-6.dsc
  to pool/main/m/motor/motor_3.4.0-6.dsc
motor_3.4.0-6_i386.deb
  to pool/main/m/motor/motor_3.4.0-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 368400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Krzysztof Krzyzaniak (eloy) <eloy@debian.org> (supplier of updated motor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 22 May 2006 10:31:16 +0200
Source: motor
Binary: motor motor-fribidi motor-common
Architecture: source all i386
Version: 2:3.4.0-6
Distribution: unstable
Urgency: low
Maintainer: Krzysztof Krzyzaniak (eloy) <eloy@debian.org>
Changed-By: Krzysztof Krzyzaniak (eloy) <eloy@debian.org>
Description: 
 motor      - C/C++/Java Integrated Development Environment
 motor-common - C/C++/Java Integrated Development Environment
 motor-fribidi - C/C++/Java Integrated Development Environment
Closes: 368400
Changes: 
 motor (2:3.4.0-6) unstable; urgency=low
 .
   * Fixed buffer overflow CVE-2005-3863 found by MITRE, (closes: #368400)
     patch taken from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340959
   * debian/watch: added
   * debian/control:
    - Standards-Version: increased to 3.7.2 without additional changes.
Files: 
 04ff8e1b2d8d126756edad2e01c3a66d 736 editors optional motor_3.4.0-6.dsc
 ae1590399af0edb0c8fa51f77e285e22 27174 editors optional motor_3.4.0-6.diff.gz
 e6858ac75dae40288f90718deef27747 336936 editors optional motor-fribidi_3.4.0-6_i386.deb
 a41b8ecee38a9e9b76525b548ea790f9 336926 editors optional motor_3.4.0-6_i386.deb
 b395f6ad12dcfa064f1aabc4aa3be11f 153734 editors optional motor-common_3.4.0-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcX6S+NMfSd6w7DERAguOAJ9IEvmTRhuEwAAYzOPFk7kQGOe6jwCghukI
0pDiedfLd8BbyXx8Hi5BKfI=
=aphy
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 07:52:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:11:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.