Debian Bug report logs - #448853
CVE-2007-5740 format string vulnerability

version graph

Package: perdition; Maintainer for perdition is Simon Horman <horms@debian.org>; Source for perdition is src:perdition.

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 1 Nov 2007 12:48:02 UTC

Severity: grave

Tags: patch, security

Fixed in version 1.17.1-1

Done: Simon Horman <horms@verge.net.au>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>:
Bug#448853; Package perdition. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Simon Horman <horms@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: format string vulnerability
Date: Thu, 1 Nov 2007 13:45:40 +0100
[Message part 1 (text/plain, inline)]
Package: perdition
Severity: grave
Tags: security

Hi,
"Perdition IMAPD is affected by a format string bug in one of its IMAP 
output-string formatting functions. The bug allows the execution of 
arbitrary code on the affected server. A successful exploit does not 
require prior authentication."

For more information see:
http://seclists.org/bugtraq/2007/Oct/0443.html

Solution: update to 0.17.1

A CVE id for this is pending.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>:
Bug#448853; Package perdition. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Simon Horman <horms@debian.org>. Full text and rfc822 format available.

Message #10 received at 448853@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448853@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: format string vulnerability
Date: Thu, 1 Nov 2007 13:49:22 +0100
[Message part 1 (text/plain, inline)]
tags 448853 + patch
thanks

Hi,
not 0.17.1 but 1.17.1, sorry.
A patch for this can be found on:
http://perdition.cvs.sourceforge.net/perdition/perdition/perdition/imap4_in.c?r1=1.45&r2=1.46

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 01 Nov 2007 12:51:06 GMT) Full text and rfc822 format available.

Changed Bug title to `CVE-2007-5740 format string vulnerability' from `format string vulnerability'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 01 Nov 2007 12:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Simon Horman <horms@debian.org>:
Bug#448853; Package perdition. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Simon Horman <horms@debian.org>. Full text and rfc822 format available.

Message #19 received at 448853@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448853@bugs.debian.org
Subject: perdition format string vulnerability
Date: Thu, 1 Nov 2007 14:12:38 +0100
[Message part 1 (text/plain, inline)]
Hi,
this is CVE-2007-5740, if you fix this bug, please include 
the CVE id in your changelog.
Thanks
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Simon Horman <horms@verge.net.au>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 448853-done@bugs.debian.org (full text, mbox):

From: Simon Horman <horms@verge.net.au>
To: 448853-done@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: Re: Processed: retitle 448853 to CVE-2007-5740 format string vulnerability
Date: Thu, 1 Nov 2007 22:20:18 +0900
Version: 1.17.1-1

Fixed in 1.17.1-1 which was uploaded earlier today.
Will also be fixed in packages that have been prepared for
stable and oldstable, 1.17-7etch1 and 1.15-5sarge1 respectively.

-- 
Horms
  H: http://www.vergenet.net/~horms/
  W: http://www.valinux.co.jp/en/





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Dec 2007 07:30:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:02:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.