Debian Bug report logs - #515118
CVE-2009-0363: multiple buffer overflows that can be remotely triggered

version graph

Package: owl; Maintainer for owl is Mark W. Eichin <eichin@thok.org>; Source for owl is src:owl.

Reported by: Sam Hartman <hartmans@debian.org>

Date: Fri, 13 Feb 2009 17:54:01 UTC

Severity: grave

Tags: security

Found in versions owl/2.1.11-2, owl/2.1.8-2.2

Fixed in version owl/2.2.2-1

Done: eichin@thok.org (Mark W. Eichin)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, eichin@thok.org (Mark W. Eichin):
Bug#515118; Package owl. (Fri, 13 Feb 2009 17:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
New Bug report received and forwarded. Copy sent to eichin@thok.org (Mark W. Eichin). (Fri, 13 Feb 2009 17:54:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2009-0363: multiple buffer overflows that can be remotely triggered
Date: Fri, 13 Feb 2009 12:49:35 -0500
package: owl
Version: 2.1.11-2
severity: grave
Tags: security
Justification: cve-2009-0363

zwrite.c and zcrypt.c contain multiple buffer overflows in calls to sprintf
	that appear to be remotely exploitable.
Please see the patch to barnowl 1.0.1-4 for a minimal set of changes that we
	think addresses this vulnerability.
However there have been other related changes to barnowl and owl may well have
	more vulnerabilities in this area.




Information forwarded to debian-bugs-dist@lists.debian.org, eichin@thok.org (Mark W. Eichin):
Bug#515118; Package owl. (Wed, 18 Feb 2009 17:12:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark Eichin <eichin@thok.org>:
Extra info received and forwarded to list. Copy sent to eichin@thok.org (Mark W. Eichin). (Wed, 18 Feb 2009 17:12:10 GMT) Full text and rfc822 format available.

Message #10 received at 515118@bugs.debian.org (full text, mbox):

From: Mark Eichin <eichin@thok.org>
To: Sam Hartman <hartmans@debian.org>
Cc: 515118@bugs.debian.org
Subject: Re: Bug#515118: CVE-2009-0363: multiple buffer overflows that can be remotely triggered
Date: Wed, 18 Feb 2009 12:07:56 -0500
I'll take a look at those patches and also see if upstream is at all
interested.  (Last resort would be a self-immolating
use-barnowl-instead package.)




Bug marked as found in version owl/2.1.8-2.2. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Wed, 25 Feb 2009 05:27:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, eichin@thok.org (Mark W. Eichin):
Bug#515118; Package owl. (Tue, 31 Mar 2009 20:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mark Eichin <eichin@thok.org>:
Extra info received and forwarded to list. Copy sent to eichin@thok.org (Mark W. Eichin). (Tue, 31 Mar 2009 20:21:02 GMT) Full text and rfc822 format available.

Message #17 received at 515118@bugs.debian.org (full text, mbox):

From: Mark Eichin <eichin@thok.org>
To: Sam Hartman <hartmans@debian.org>
Cc: 515118@bugs.debian.org
Subject: Re: Bug#515118: CVE-2009-0363: multiple buffer overflows that can be remotely triggered
Date: Tue, 31 Mar 2009 16:19:45 -0400
FYI I've just heard back from kretch and he's testing a new release,
so we should be able to kick out a new package within the week.




Reply sent to eichin@thok.org (Mark W. Eichin):
You have taken responsibility. (Mon, 13 Apr 2009 05:51:03 GMT) Full text and rfc822 format available.

Notification sent to Sam Hartman <hartmans@debian.org>:
Bug acknowledged by developer. (Mon, 13 Apr 2009 05:51:03 GMT) Full text and rfc822 format available.

Message #22 received at 515118-close@bugs.debian.org (full text, mbox):

From: eichin@thok.org (Mark W. Eichin)
To: 515118-close@bugs.debian.org
Subject: Bug#515118: fixed in owl 2.2.2-1
Date: Mon, 13 Apr 2009 05:17:05 +0000
Source: owl
Source-Version: 2.2.2-1

We believe that the bug you reported is fixed in the latest version of
owl, which is due to be installed in the Debian FTP archive:

owl_2.2.2-1.diff.gz
  to pool/main/o/owl/owl_2.2.2-1.diff.gz
owl_2.2.2-1.dsc
  to pool/main/o/owl/owl_2.2.2-1.dsc
owl_2.2.2-1_i386.deb
  to pool/main/o/owl/owl_2.2.2-1_i386.deb
owl_2.2.2.orig.tar.gz
  to pool/main/o/owl/owl_2.2.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 515118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark W. Eichin <eichin@thok.org> (supplier of updated owl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 13 Apr 2009 00:53:12 -0400
Source: owl
Binary: owl
Architecture: source i386
Version: 2.2.2-1
Distribution: unstable
Urgency: low
Maintainer: Mark W. Eichin <eichin@thok.org>
Changed-By: Mark W. Eichin <eichin@thok.org>
Description: 
 owl        - A curses-based tty Zephyr client
Closes: 515118 517019
Changes: 
 owl (2.2.2-1) unstable; urgency=low
 .
   * New upstream release.  The upstream author has become active again and
     has worked with the barnowl developers on security issues. (Closes: #515118)
   * configure.in, debian.control: barnowl updates via Sam Hartman
     eliminate retro libkrb4 and des425 dependencies. (Closes: #517019)
       * Do not link against libkrb4 or libkrb5; we use none of their symbols
       * Support openssl DES for zcrypt so that we continue to have zcrypt
         after libdes425 goes away
       Note: ditched the KerberosIV test entirely to force this version,
       allowing build/test on lenny.
   * zcrypt.c: use des.h again, so we get the openssl one above.
   * from unreleased 2.1.11-3:
       * debian/control: version debhelper depends (lintian
         package-lacks-versioned-build-depends-on-debhelper.)
       * debian/watch: New file.
   * debian/control: add libglib2.0-dev, per configure.in
Checksums-Sha1: 
 d5aea5824db4f2e218bcb94bba6a020b4ddaee8a 1310 owl_2.2.2-1.dsc
 c14f417ad47618f9cdd466b711a0bf9a5b2a8d33 456033 owl_2.2.2.orig.tar.gz
 1d8a52316f5d180d60c52122fcd32587343aef18 11888 owl_2.2.2-1.diff.gz
 c34813a6a3e60772212bd4ec538e46ad8696df63 196512 owl_2.2.2-1_i386.deb
Checksums-Sha256: 
 6624ef369111c03a7d6fb7b98abff3cb5daac02e4623dad2655dc45f73719ba6 1310 owl_2.2.2-1.dsc
 c8f207cfe61028b0425ced7a59b4b914e8010e340ca6d71c2d886a232657592a 456033 owl_2.2.2.orig.tar.gz
 09f9bb56dc43c7a59b32834591a992270388ced7cb9419aac2802660ff9388f9 11888 owl_2.2.2-1.diff.gz
 78926b03ec47d01e59e4264dd1183e37cf4b59db84404b9109620b861dd9ea08 196512 owl_2.2.2-1_i386.deb
Files: 
 d26aa18de8dcd7e9d5d7727712dc416b 1310 net optional owl_2.2.2-1.dsc
 3c00374cb804464e188a35d41eaf63db 456033 net optional owl_2.2.2.orig.tar.gz
 2bee31ed5573515eac934059c6e6b375 11888 net optional owl_2.2.2-1.diff.gz
 47b61ce8374c2b7c608e385e711d59ef 196512 net optional owl_2.2.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBSeLGzOSzrr36rawlAQJq9Af/RzhtR6WV487w0uxXEtA/Sq6JqDv1o4o7
ZWSEYV6LImarC4P+c1ZwNg38bI6lVNega2j4k6z4fyrRfs+F0jFFHrFJz4clDYt6
vDI7SYj284JWH14Fiw1dk+1di0cCIezeyMCjgiLXH+mBoGo0h1FI4XslvkC1GH8G
YntWJdCBddpNc0gbDtpnmy8ZmyidWNBT9zG9LwV8LTSSwNH67ioUahvcRE2+ZTuT
H2X3Fqil/GXK0qEPbnYveVsfwzqbpXyuyUgkv0Jd3iT1iMtG/IM/8RJ6/slB30xT
kNwwG07vBDBpWDEWQ/t7oH22p09VCzwRZ9H04gDlal3KOnPvANo6Kg==
=DwUw
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:07:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:22:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.