Debian Bug report logs - #502836
axel: buffer overflow when expanding spaces in URLs

Package: axel; Maintainer for axel is Joao Eriberto Mota Filho <eriberto@debian.org>; Source for axel is src:axel (PTS, buildd, popcon).

Reported by: Y Giridhar Appaji Nag <appaji@debian.org>

Date: Mon, 20 Oct 2008 06:12:02 UTC

Severity: important

Found in version axel/1.1-2

Fixed in versions axel/2.3-1, axel/1.1-3lenny1

Done: Y Giridhar Appaji Nag <appaji@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <appaji@debian.org>, Philipp Hagemeister <phihag@phihag.de>, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Mon, 20 Oct 2008 06:12:04 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

Package: axel
Version: 1.1-2
Severity: important

Philipp Hagemeister found and fixed a buffer overflow in axel.

See
http://alioth.debian.org/tracker/?func=detail&atid=413085&aid=311178&group_id=100070
for details.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (700, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages axel depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries

axel recommends no packages.

axel suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Sat, 13 Dec 2008 12:51:07 GMT) (full text, mbox, link).

Message #6 received at 502836@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi debian-release,

I would like to do a t-p-u and s-p-u upload for axel to fix this bug.
Please let me know if it is OK.

I spoke to the security team about this and they indicated that this
issue is not serious enough to issue a CVE Id.

Cheers,

On 08/10/20 11:38 +0530, Y Giridhar Appaji Nag said ...
> Severity: important
> 
> Philipp Hagemeister found and fixed a buffer overflow in axel.
> 
> See
> http://alioth.debian.org/tracker/?func=detail&atid=413085&aid=311178&group_id=100070
> for details.

Giridhar

-- 
Y Giridhar Appaji Nag | http://appaji.net/

[signature.asc (application/pgp-signature, inline)]

Reply sent to Y Giridhar Appaji Nag <appaji@debian.org>:
You have taken responsibility. (Mon, 15 Dec 2008 09:45:07 GMT) (full text, mbox, link).

Notification sent to Y Giridhar Appaji Nag <appaji@debian.org>:
Bug acknowledged by developer. (Mon, 15 Dec 2008 09:45:08 GMT) (full text, mbox, link).

Message #11 received at 502836-close@bugs.debian.org (full text, mbox, reply):

Source: axel
Source-Version: 1.1-3lenny1

We believe that the bug you reported is fixed in the latest version of
axel, which is due to be installed in the Debian FTP archive:

axel-dbg_1.1-3lenny1_i386.deb
  to pool/main/a/axel/axel-dbg_1.1-3lenny1_i386.deb
axel-kapt_1.1-3lenny1_all.deb
  to pool/main/a/axel/axel-kapt_1.1-3lenny1_all.deb
axel_1.1-3lenny1.diff.gz
  to pool/main/a/axel/axel_1.1-3lenny1.diff.gz
axel_1.1-3lenny1.dsc
  to pool/main/a/axel/axel_1.1-3lenny1.dsc
axel_1.1-3lenny1_i386.deb
  to pool/main/a/axel/axel_1.1-3lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 502836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Y Giridhar Appaji Nag <appaji@debian.org> (supplier of updated axel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 15 Dec 2008 14:29:19 +0530
Source: axel
Binary: axel axel-dbg axel-kapt
Architecture: source all i386
Version: 1.1-3lenny1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Y Giridhar Appaji Nag <appaji@debian.org>
Changed-By: Y Giridhar Appaji Nag <appaji@debian.org>
Description: 
 axel       - light download accelerator - console version
 axel-dbg   - light download accelerator - debugging symbols
 axel-kapt  - light download accelerator - graphical front-end
Closes: 502836
Changes: 
 axel (1.1-3lenny1) testing-proposed-updates; urgency=low
 .
   * Patch 04_http_overflow to fix buffer overflow while translating
     characters to hex.  Thanks Philipp Hagemeister <phihag@phihag.de>
     (Closes: #502836)
   * Update Standards-Version to 3.8.0, add README.source
   * Remove DM-Upload-Allowed: yes and update Maintainer: to official
     Debian ID
Checksums-Sha1: 
 d01964817acac4911a31a545832ef53e511b55d8 1167 axel_1.1-3lenny1.dsc
 d02830dd5727aa91bfe21df6290ed80e6cc760d4 9741 axel_1.1-3lenny1.diff.gz
 ad1b85716d4766dbb1aa5ba916a75f3305c9f68b 4114 axel-kapt_1.1-3lenny1_all.deb
 4f6481798daa43f3bf9ffaf9b74ef40ce9637fd9 42242 axel_1.1-3lenny1_i386.deb
 8fd638715015bfdd326cc9458f0c3112a0f90209 33816 axel-dbg_1.1-3lenny1_i386.deb
Checksums-Sha256: 
 48f0903c9e2fdb9c7842058659110b25b30eeaa71cc4269600dd89cfe0e0dafb 1167 axel_1.1-3lenny1.dsc
 d6fc54bff29d2955ca817bdac7c69fccb479efcb0b90f7dd6ade9665d9dd244f 9741 axel_1.1-3lenny1.diff.gz
 5d4d911b52a4601037764a54fd4080a5c780ba339809aeed7af6530cbba212ae 4114 axel-kapt_1.1-3lenny1_all.deb
 fdccea382fbbc3a34ffd91cf03b21930a1ad9704ecda7e55dc2eece3e3c85315 42242 axel_1.1-3lenny1_i386.deb
 a5ea0dcc21c8ed56a5278991d9d2600753f19914848cab2a01a17268adb8603e 33816 axel-dbg_1.1-3lenny1_i386.deb
Files: 
 11fd61313d72aac4897a8078d551d740 1167 web optional axel_1.1-3lenny1.dsc
 ae906e3b7f9b6a926a548fee32469891 9741 web optional axel_1.1-3lenny1.diff.gz
 753dfbabd2e7e2cda8d4d342dbfbb85a 4114 web optional axel-kapt_1.1-3lenny1_all.deb
 576235b6c76f18560d22e2a283e270a9 42242 web optional axel_1.1-3lenny1_i386.deb
 cc49f0920139587553a009c721d1c677 33816 web extra axel-dbg_1.1-3lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklGH0IACgkQ4eu+pR04mIfSggCgi0r2AmE6XdlLG95wKFmrt7aa
SmEAn3BafO8qa72qChUYy4v1pyYIcSop
=x7p1
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Wed, 17 Dec 2008 09:45:07 GMT) (full text, mbox, link).

Message #14 received at 502836@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Release team,

On 08/10/20 11:38 +0530, Y Giridhar Appaji Nag said ...
> Package: axel
> Version: 1.1-2
> Severity: important
> 
> Philipp Hagemeister found and fixed a buffer overflow in axel.

Can you please unblock and push axel 1.1-3lenny1 to Lenny for this bug?
This bug affects unstable too but unstable has had 2.0 for a while now,
hence the t-p-u upload.

1.1-3lenny1 has been successfully built on all architectures - as seen
at http://buildd.debian.org/build.php?arch=&pkg=axel

Thanks,

Giridhar

-- 
Y Giridhar Appaji Nag | http://people.debian.org/~appaji/

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Sat, 20 Dec 2008 11:36:02 GMT) (full text, mbox, link).

Message #17 received at 502836@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi release team,

More info about my request for pushing 1.1-3lenny1 to lenny from t-p-u:

The changelog looks like this:

 axel (1.1-3lenny1) testing-proposed-updates; urgency=low
 .
   * Patch 04_http_overflow to fix buffer overflow while translating
     characters to hex.  Thanks Philipp Hagemeister <phihag@phihag.de>
     (Closes: #502836)
   * Update Standards-Version to 3.8.0, add README.source
   * Remove DM-Upload-Allowed: yes and update Maintainer: to official
     Debian ID

Giridhar

On 08/12/17 14:55 +0530, Y Giridhar Appaji Nag said ...
> 
> On 08/10/20 11:38 +0530, Y Giridhar Appaji Nag said ...
> > Package: axel
> > Version: 1.1-2
> > Severity: important
> > 
> > Philipp Hagemeister found and fixed a buffer overflow in axel.
> 
> Can you please unblock and push axel 1.1-3lenny1 to Lenny for this bug?
> This bug affects unstable too but unstable has had 2.0 for a while now,
> hence the t-p-u upload.
> 
> 1.1-3lenny1 has been successfully built on all architectures - as seen
> at http://buildd.debian.org/build.php?arch=&pkg=axel

-- 
Y Giridhar Appaji Nag | http://appaji.net/

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Thu, 25 Dec 2008 11:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Y Giridhar Appaji Nag <giridhar@appaji.net>. (Thu, 25 Dec 2008 11:45:03 GMT) (full text, mbox, link).

Message #22 received at 502836@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Dec 20, 2008 at 05:03:50PM +0530, Y Giridhar Appaji Nag wrote:
> Hi release team,
> 
> More info about my request for pushing 1.1-3lenny1 to lenny from t-p-u:
> 

Could you please attach a debdiff?

Thanks,
Neil
-- 
int getRandomNumber() {
    return 4; // chosen by fair dice roll. guaranteed to be random.
}
// http://xkcd.com/c221.html

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Y Giridhar Appaji Nag <giridhar@appaji.net>:
Bug#502836; Package axel. (Fri, 26 Dec 2008 03:33:02 GMT) (full text, mbox, link).

Message #25 received at 502836@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Neil,

On 08/12/25 11:42 +0000, Neil McGovern said ...
> On Sat, Dec 20, 2008 at 05:03:50PM +0530, Y Giridhar Appaji Nag wrote:
> > 
> > More info about my request for pushing 1.1-3lenny1 to lenny from t-p-u:
> 
> Could you please attach a debdiff?

Attached, but Luk has already unblocked and pushed it to testing.

Thanks

Giridhar

-- 
Y Giridhar Appaji Nag | http://appaji.net/

[1.1-3-to-1.1-3lenny1.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 502836-done@bugs.debian.org (full text, mbox, reply):

Hi,

This is BTS cleaning.

This bug was fixed in upstream 2.2.
The current 2.4-1 is bug free.

Osamu

Marked as fixed in versions axel/2.3-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 01 Nov 2013 01:22:02 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Nov 2013 07:34:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 00:26:49 2017; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #502836 axel: buffer overflow when expanding spaces in URLs

Debian Bug report logs - #502836
axel: buffer overflow when expanding spaces in URLs