Debian Bug report logs - #416423
BMP loader integer overflows

version graph

Package: xmms; Maintainer for xmms is (unknown);

Reported by: Kees Cook <kees@outflux.net>

Date: Tue, 27 Mar 2007 20:48:07 UTC

Severity: grave

Tags: patch, security

Found in version xmms/1:1.2.10+20070301-1

Fixed in versions xmms/1:1.2.10+20070301-2, xmms/1:1.2.10+20061101-1etch1

Done: Daniel Baumann <dnaiel@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>:
Bug#416423; Package xmms. Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@outflux.net>:
New Bug report received and forwarded. Copy sent to Daniel Baumann <daniel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@outflux.net>
To: Debian Bugs <submit@bugs.debian.org>
Subject: BMP loader integer overflows
Date: Tue, 27 Mar 2007 13:45:03 -0700
[Message part 1 (text/plain, inline)]
Package: xmms
Version: 1:1.2.10+20070301-1
Severity: grave
Tags: patch, security

Two CVEs against XMMS exist:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0654

"Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly 
other versions, allows user-assisted remote attackers to execute 
arbitrary code via crafted header information in a skin bitmap image, 
which triggers memory corruption."

Attached is the patch being used in Ubuntu.

-- 
Kees Cook                                            @outflux.net
[50-bmp-loader-overflows.dpatch (text/plain, attachment)]

Tags added: security Request was from Filipus Klutiero <cheal@hotpop.com> to control@bugs.debian.org. (Wed, 28 Mar 2007 00:27:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>:
Bug#416423; Package xmms. Full text and rfc822 format available.

Acknowledgement sent to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@debian.org>. Full text and rfc822 format available.

Message #12 received at 416423@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel@debian.org>
To: Kees Cook <kees@outflux.net>, 416423@bugs.debian.org
Subject: Re: Bug#416423: BMP loader integer overflows
Date: Wed, 28 Mar 2007 09:08:27 +0200
Kees Cook wrote:
> Attached is the patch being used in Ubuntu.

Thanks Kees, upload is on the way..

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Reply sent to Daniel Baumann <dnaiel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Kees Cook <kees@outflux.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 416423-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <dnaiel@debian.org>
To: 416423-close@bugs.debian.org
Subject: Bug#416423: fixed in xmms 1:1.2.10+20070301-2
Date: Wed, 28 Mar 2007 07:32:03 +0000
Source: xmms
Source-Version: 1:1.2.10+20070301-2

We believe that the bug you reported is fixed in the latest version of
xmms, which is due to be installed in the Debian FTP archive:

xmms-dev_1.2.10+20070301-2_i386.deb
  to pool/main/x/xmms/xmms-dev_1.2.10+20070301-2_i386.deb
xmms_1.2.10+20070301-2.diff.gz
  to pool/main/x/xmms/xmms_1.2.10+20070301-2.diff.gz
xmms_1.2.10+20070301-2.dsc
  to pool/main/x/xmms/xmms_1.2.10+20070301-2.dsc
xmms_1.2.10+20070301-2_i386.deb
  to pool/main/x/xmms/xmms_1.2.10+20070301-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 416423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <dnaiel@debian.org> (supplier of updated xmms package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Mar 2007 09:03:00 +0200
Source: xmms
Binary: xmms-dev xmms
Architecture: source i386
Version: 1:1.2.10+20070301-2
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <dnaiel@debian.org>
Description: 
 xmms       - Versatile X audio player
 xmms-dev   - XMMS development static library and header files
Closes: 416423
Changes: 
 xmms (1:1.2.10+20070301-2) unstable; urgency=high
 .
   * Added patch from Daniel T Chen <crimsun@ubuntu.com> to not break if
     composite extension is enabled.
   * Added patch from Kees Cook <kees@ubuntu.com> to address integer underflow
     CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader (Closes: #416423).
Files: 
 8d85627585c5e8acdcd649da99d3bc4a 1002 sound optional xmms_1.2.10+20070301-2.dsc
 69a0b2f9aa684219d120c01e8c76509b 118138 sound optional xmms_1.2.10+20070301-2.diff.gz
 12080b17e23171a481f1b84113eba3eb 2153996 sound optional xmms_1.2.10+20070301-2_i386.deb
 aa253a9021f944f83b1ee9563739565d 448204 devel optional xmms-dev_1.2.10+20070301-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGChXz+C5cwEsrK54RAlzeAJ9VgskcOIHnZSGzt6NIDYDrldlazQCePp5u
xnS3d+xIdIrJA//R3dDrtZw=
=mFK1
-----END PGP SIGNATURE-----




Reply sent to Daniel Baumann <dnaiel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Kees Cook <kees@outflux.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 416423-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <dnaiel@debian.org>
To: 416423-close@bugs.debian.org
Subject: Bug#416423: fixed in xmms 1:1.2.10+20061101-1etch1
Date: Wed, 28 Mar 2007 19:02:02 +0000
Source: xmms
Source-Version: 1:1.2.10+20061101-1etch1

We believe that the bug you reported is fixed in the latest version of
xmms, which is due to be installed in the Debian FTP archive:

xmms-dev_1.2.10+20061101-1etch1_i386.deb
  to pool/main/x/xmms/xmms-dev_1.2.10+20061101-1etch1_i386.deb
xmms_1.2.10+20061101-1etch1.diff.gz
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1.diff.gz
xmms_1.2.10+20061101-1etch1.dsc
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1.dsc
xmms_1.2.10+20061101-1etch1_i386.deb
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 416423@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <dnaiel@debian.org> (supplier of updated xmms package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Mar 2007 09:03:00 +0200
Source: xmms
Binary: xmms-dev xmms
Architecture: source i386
Version: 1:1.2.10+20061101-1etch1
Distribution: testing-security
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <dnaiel@debian.org>
Description: 
 xmms       - Versatile X audio player
 xmms-dev   - XMMS development static library and header files
Closes: 416423
Changes: 
 xmms (1:1.2.10+20061101-1etch1) testing-security; urgency=high
 .
   * Added patch from Kees Cook <kees@ubuntu.com> to address integer underflow
     CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader (Closes: #416423).
Files: 
 53f8f076ec0cf1d6885e54abfbcf8977 1015 sound optional xmms_1.2.10+20061101-1etch1.dsc
 6e9e688169b3544558982479c44b213d 3565455 sound optional xmms_1.2.10+20061101.orig.tar.gz
 c111f08ee57b9130c7ce74169bae1a53 118018 sound optional xmms_1.2.10+20061101-1etch1.diff.gz
 32d090355f079b7865baa1929fe6631b 2159502 sound optional xmms_1.2.10+20061101-1etch1_i386.deb
 73df76232bc6795b5fb7792ec403c8ad 448102 devel optional xmms-dev_1.2.10+20061101-1etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGCriF+C5cwEsrK54RAh1kAJ0cPvlqmtilRVx8y1qiVoNPyBLUaACfftBm
YmUHS2kjvhVGoCfIwzHnYrU=
=YviZ
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 22:17:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:44:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.