Debian Bug report logs - #520046
glib2.0: CVE-2008-4316 large string vulnerability

version graph

Package: glib2.0; Maintainer for glib2.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Tue, 17 Mar 2009 01:06:01 UTC

Severity: grave

Tags: security

Fixed in versions 2.20.0-1, glib2.0/2.16.6-1+lenny1, glib2.0/2.12.4-2+etch1

Done: Sebastian Dröge <slomo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#520046; Package glib2.0. (Tue, 17 Mar 2009 01:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Loic Minier <lool@dooz.org>. (Tue, 17 Mar 2009 01:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: glib2.0: CVE-2008-4316 large string vulnerability
Date: Mon, 16 Mar 2009 21:02:14 -0400
package: glib2.0
severity: grave
tags: security

it has been found that libsoup is vulnerable to an integer overflow
attack, see CVE-2008-4316 [1].  details are:

  Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
  context-dependent attackers to execute arbitrary code via a long
  string that is converted either (1) from or (2) to a base64
  representation.

since this potentially allows remote attackers to execute arbitrary
code, it should be treated with high urgency.

this was just fixed in ubuntu, so it may be possible to adopt their
patch [2].

note that bug #520039 in libsoup is related (an exact code copy).

if you fix these vulnerabilities, please make sure to include the CVE
id in your changelog.  please contact the security team to coordinate
a fix for stable and/or if you have any questions.

regards,
mike

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
[2] http://www.ubuntu.com/usn/USN-738-1




Reply sent to Sebastian Dröge <slomo@circular-chaos.org>:
You have taken responsibility. (Tue, 17 Mar 2009 09:51:05 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 17 Mar 2009 09:51:05 GMT) Full text and rfc822 format available.

Message #10 received at 520046-done@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@circular-chaos.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 520046-done@bugs.debian.org
Subject: Re: Bug#520046: glib2.0: CVE-2008-4316 large string vulnerability
Date: Tue, 17 Mar 2009 10:44:09 +0100
[Message part 1 (text/plain, inline)]
Version: 2.20.0-1

Am Montag, den 16.03.2009, 21:02 -0400 schrieb Michael Gilbert:
> package: glib2.0
> severity: grave
> tags: security
> 
> it has been found that libsoup is vulnerable to an integer overflow
> attack, see CVE-2008-4316 [1].  details are:
> 
>   Multiple integer overflows in glib/gbase64.c in GLib before 2.20 allow
>   context-dependent attackers to execute arbitrary code via a long
>   string that is converted either (1) from or (2) to a base64
>   representation.

So this is already fixed in unstable with glib 2.20.0, actually this was
the reason why I updated it ASAP. Now only an update for stable is
necessary, right?

The upstream fix is
http://svn.gnome.org/viewvc/glib?view=revision&revision=7973 btw...



[signature.asc (application/pgp-signature, inline)]

Reply sent to Sebastian Dröge <slomo@debian.org>:
You have taken responsibility. (Mon, 23 Mar 2009 08:18:07 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 23 Mar 2009 08:18:07 GMT) Full text and rfc822 format available.

Message #15 received at 520046-close@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@debian.org>
To: 520046-close@bugs.debian.org
Subject: Bug#520046: fixed in glib2.0 2.16.6-1+lenny1
Date: Mon, 23 Mar 2009 07:53:42 +0000
Source: glib2.0
Source-Version: 2.16.6-1+lenny1

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:

glib2.0_2.16.6-1+lenny1.diff.gz
  to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.diff.gz
glib2.0_2.16.6-1+lenny1.dsc
  to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.dsc
libgio-fam_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libgio-fam_2.16.6-1+lenny1_amd64.deb
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0_2.16.6-1+lenny1_amd64.deb
libglib2.0-data_2.16.6-1+lenny1_all.deb
  to pool/main/g/glib2.0/libglib2.0-data_2.16.6-1+lenny1_all.deb
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
libglib2.0-doc_2.16.6-1+lenny1_all.deb
  to pool/main/g/glib2.0/libglib2.0-doc_2.16.6-1+lenny1_all.deb
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
  to pool/main/g/glib2.0/libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 17 Mar 2009 13:40:17 +0100
Source: glib2.0
Binary: libglib2.0-0 libglib2.0-udeb libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam
Architecture: source all amd64
Version: 2.16.6-1+lenny1
Distribution: stable-security
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 libgio-fam - GLib Input, Output and Streaming Library (fam module)
 libglib2.0-0 - The GLib library of C routines
 libglib2.0-0-dbg - The GLib libraries and debugging symbols
 libglib2.0-data - Common files for GLib library
 libglib2.0-dev - Development files for the GLib library
 libglib2.0-doc - Documentation files for the GLib library
 libglib2.0-udeb - The GLib library of C routines - minimal runtime (udeb)
Closes: 520046
Changes: 
 glib2.0 (2.16.6-1+lenny1) stable-security; urgency=low
 .
   * SECURITY: 12_base64-overflow-CVE-2008-4316.patch:
     + Possible arbitrary code execution when processing large Base64 strings.
       Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Checksums-Sha1: 
 ef41031a66f10049f9a76246ff122cb028559db5 1475 glib2.0_2.16.6-1+lenny1.dsc
 c4a0a564cced1f1af1280294503da4d9c82616a8 6491460 glib2.0_2.16.6.orig.tar.gz
 e9efad0dbaf0e9b45d016ef91a5379bea307bee1 32351 glib2.0_2.16.6-1+lenny1.diff.gz
 5f3fbc3148a6e6ff0ef7e39cbfeb6a4023280d05 699192 libglib2.0-data_2.16.6-1+lenny1_all.deb
 56d45e558a99f2599fea371fdcdbfc3e8104b1ab 1157604 libglib2.0-doc_2.16.6-1+lenny1_all.deb
 e415966fa0d597d9dc01c48f9f4560ac52fd3cc8 826938 libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 a85997c7a34b3a4f2c8f427ee93b5ad1811ee8d9 1310078 libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 721ba79b29e22dfff6397c0e3ef176f667356489 989946 libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 4ae74266bb44dbe012b7234357b51ec48636893e 1206420 libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 420b78934ee252d4b550c481f3e35807b2f46749 46542 libgio-fam_2.16.6-1+lenny1_amd64.deb
Checksums-Sha256: 
 0e1aa8c2efb5c7ba81c149d7827fde908cf65150a5d946c61f95f03dc917d3fc 1475 glib2.0_2.16.6-1+lenny1.dsc
 977d5720f7f43a76261804e79cade381fa874385a45bf52a9cc4440106256f88 6491460 glib2.0_2.16.6.orig.tar.gz
 481d3b9a1504c3f345fd4c8565f381a2aa2b0e2b4c46fc14075dfbd71baa8a7a 32351 glib2.0_2.16.6-1+lenny1.diff.gz
 04d52f677fb61ab6734a4980b08ba11c49c6a1cadea939bb4460cff887496d98 699192 libglib2.0-data_2.16.6-1+lenny1_all.deb
 c9a71b104464cdcef768095c4dc4fceb3ff583e1243be0e36c0a95fcff7f5da4 1157604 libglib2.0-doc_2.16.6-1+lenny1_all.deb
 08ff051800593d58a27f23ae873e1078d13d573a6486b6cf795a8e5f7dc2f586 826938 libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 f6b360b8713a57063f62c6afe0903902e9e877f0798239b3c9bc51662e15d5c6 1310078 libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 f648c22d8264ee05aa3c2d2f67c8ae4da5d394849d30460a34b63ed3892c83d5 989946 libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 0e000649e833520181a62374d984fbc308e37594ca628a01543b19f7fe4b70b8 1206420 libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 0fd5d9264484ebfa5909a492b6fe4f43d018d90f6327efb9982c31239d45462c 46542 libgio-fam_2.16.6-1+lenny1_amd64.deb
Files: 
 59ca34e703bf0a798746cdeca3a2c051 1475 libs optional glib2.0_2.16.6-1+lenny1.dsc
 65c594a471406a377bee8171a2ea43d4 6491460 libs optional glib2.0_2.16.6.orig.tar.gz
 22cac59cf4481cdddc9802be93dc4100 32351 libs optional glib2.0_2.16.6-1+lenny1.diff.gz
 9edb95995e450eb2609589b2606c8e6b 699192 misc optional libglib2.0-data_2.16.6-1+lenny1_all.deb
 ab17084a6d7d448c1316d6e247ae5cdc 1157604 doc optional libglib2.0-doc_2.16.6-1+lenny1_all.deb
 87687e0cd4a03c7fbcaebad25ca07436 826938 libs optional libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 14bbc4e19f36469df8d57ab454a5daf0 1310078 debian-installer optional libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 66e6c9941573937ffc015fe4356d1b81 989946 libdevel optional libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 16cfc02b6ff9d1c25ecd72a25c0dd404 1206420 libdevel extra libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 8cbe7a8cd81a83ac4362b85b6c8b563c 46542 libs optional libgio-fam_2.16.6-1+lenny1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm/qeYACgkQBsBdh1vkHyGfugCdHFI8Hazk29pHoxlWDE7/APYY
YPYAoJeQF+0JuNQJv3VU99MHwF3KkpGU
=jQle
-----END PGP SIGNATURE-----





Reply sent to Sebastian Dröge <slomo@debian.org>:
You have taken responsibility. (Tue, 24 Mar 2009 08:24:10 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 24 Mar 2009 08:24:10 GMT) Full text and rfc822 format available.

Message #20 received at 520046-close@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@debian.org>
To: 520046-close@bugs.debian.org
Subject: Bug#520046: fixed in glib2.0 2.12.4-2+etch1
Date: Tue, 24 Mar 2009 07:54:12 +0000
Source: glib2.0
Source-Version: 2.12.4-2+etch1

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:

glib2.0_2.12.4-2+etch1.diff.gz
  to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.diff.gz
glib2.0_2.12.4-2+etch1.dsc
  to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.dsc
libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
libglib2.0-0_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_amd64.deb
libglib2.0-data_2.12.4-2+etch1_all.deb
  to pool/main/g/glib2.0/libglib2.0-data_2.12.4-2+etch1_all.deb
libglib2.0-dev_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_amd64.deb
libglib2.0-doc_2.12.4-2+etch1_all.deb
  to pool/main/g/glib2.0/libglib2.0-doc_2.12.4-2+etch1_all.deb
libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
  to pool/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Mar 2009 13:36:50 +0100
Source: glib2.0
Binary: libglib2.0-0-dbg libglib2.0-udeb libglib2.0-data libglib2.0-dev libglib2.0-doc libglib2.0-0
Architecture: source amd64 all
Version: 2.12.4-2+etch1
Distribution: oldstable-security
Urgency: low
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 libglib2.0-0 - The GLib library of C routines
 libglib2.0-0-dbg - The GLib libraries and debugging symbols
 libglib2.0-data - Common files for GLib library
 libglib2.0-dev - Development files for the GLib library
 libglib2.0-doc - Documentation files for the GLib library
 libglib2.0-udeb - The GLib library of C routines (udeb)
Closes: 520046
Changes: 
 glib2.0 (2.12.4-2+etch1) oldstable-security; urgency=low
 .
   * SECURITY: 012_base64-overflow-CVE-2008-4316.patch:
     + Possible arbitrary code execution when processing large Base64 strings.
       Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Files: 
 18cae69e02a1227e09226857626c0533 1499 libs optional glib2.0_2.12.4-2+etch1.dsc
 d121999e4cdfdc68621e3eb23f66cd66 3838981 libs optional glib2.0_2.12.4.orig.tar.gz
 9b22fc1fa8d82aded0a08cc9a7a6f55d 18438 libs optional glib2.0_2.12.4-2+etch1.diff.gz
 f30d726d7a8aa293c9b4c5b864b61ce6 285378 misc optional libglib2.0-data_2.12.4-2+etch1_all.deb
 275321184f9ed1e0edb0a6a26f477836 737208 doc optional libglib2.0-doc_2.12.4-2+etch1_all.deb
 4796b12af73cbe7c18ce91cf300f9049 547570 libs optional libglib2.0-0_2.12.4-2+etch1_amd64.deb
 735a0b44ed7edf2eac961beae0046b43 656440 debian-installer optional libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
 44d3bded85806ec86c1da38350791e39 595848 libdevel optional libglib2.0-dev_2.12.4-2+etch1_amd64.deb
 561ab303f654edd1c3da1e854eb1c162 605210 libdevel extra libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm/qI0ACgkQBsBdh1vkHyGp1QCfUjKSwZKN72IJ3ZLyuhP/smG4
UEsAnAy84Gr5A5diQRpEr2V8BDS7H00d
=afBH
-----END PGP SIGNATURE-----





Reply sent to Sebastian Dröge <slomo@debian.org>:
You have taken responsibility. (Thu, 09 Apr 2009 16:48:06 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 09 Apr 2009 16:48:06 GMT) Full text and rfc822 format available.

Message #25 received at 520046-close@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@debian.org>
To: 520046-close@bugs.debian.org
Subject: Bug#520046: fixed in glib2.0 2.12.4-2+etch1
Date: Thu, 09 Apr 2009 16:40:54 +0000
Source: glib2.0
Source-Version: 2.12.4-2+etch1

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:

glib2.0_2.12.4-2+etch1.diff.gz
  to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.diff.gz
glib2.0_2.12.4-2+etch1.dsc
  to pool/main/g/glib2.0/glib2.0_2.12.4-2+etch1.dsc
libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
libglib2.0-0_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0_2.12.4-2+etch1_amd64.deb
libglib2.0-data_2.12.4-2+etch1_all.deb
  to pool/main/g/glib2.0/libglib2.0-data_2.12.4-2+etch1_all.deb
libglib2.0-dev_2.12.4-2+etch1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-dev_2.12.4-2+etch1_amd64.deb
libglib2.0-doc_2.12.4-2+etch1_all.deb
  to pool/main/g/glib2.0/libglib2.0-doc_2.12.4-2+etch1_all.deb
libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
  to pool/main/g/glib2.0/libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Mar 2009 13:36:50 +0100
Source: glib2.0
Binary: libglib2.0-0-dbg libglib2.0-udeb libglib2.0-data libglib2.0-dev libglib2.0-doc libglib2.0-0
Architecture: source amd64 all
Version: 2.12.4-2+etch1
Distribution: oldstable-security
Urgency: low
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 libglib2.0-0 - The GLib library of C routines
 libglib2.0-0-dbg - The GLib libraries and debugging symbols
 libglib2.0-data - Common files for GLib library
 libglib2.0-dev - Development files for the GLib library
 libglib2.0-doc - Documentation files for the GLib library
 libglib2.0-udeb - The GLib library of C routines (udeb)
Closes: 520046
Changes: 
 glib2.0 (2.12.4-2+etch1) oldstable-security; urgency=low
 .
   * SECURITY: 012_base64-overflow-CVE-2008-4316.patch:
     + Possible arbitrary code execution when processing large Base64 strings.
       Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Files: 
 18cae69e02a1227e09226857626c0533 1499 libs optional glib2.0_2.12.4-2+etch1.dsc
 d121999e4cdfdc68621e3eb23f66cd66 3838981 libs optional glib2.0_2.12.4.orig.tar.gz
 9b22fc1fa8d82aded0a08cc9a7a6f55d 18438 libs optional glib2.0_2.12.4-2+etch1.diff.gz
 f30d726d7a8aa293c9b4c5b864b61ce6 285378 misc optional libglib2.0-data_2.12.4-2+etch1_all.deb
 275321184f9ed1e0edb0a6a26f477836 737208 doc optional libglib2.0-doc_2.12.4-2+etch1_all.deb
 4796b12af73cbe7c18ce91cf300f9049 547570 libs optional libglib2.0-0_2.12.4-2+etch1_amd64.deb
 735a0b44ed7edf2eac961beae0046b43 656440 debian-installer optional libglib2.0-udeb_2.12.4-2+etch1_amd64.udeb
 44d3bded85806ec86c1da38350791e39 595848 libdevel optional libglib2.0-dev_2.12.4-2+etch1_amd64.deb
 561ab303f654edd1c3da1e854eb1c162 605210 libdevel extra libglib2.0-0-dbg_2.12.4-2+etch1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm/qI0ACgkQBsBdh1vkHyGp1QCfUjKSwZKN72IJ3ZLyuhP/smG4
UEsAnAy84Gr5A5diQRpEr2V8BDS7H00d
=afBH
-----END PGP SIGNATURE-----





Reply sent to Sebastian Dröge <slomo@debian.org>:
You have taken responsibility. (Sat, 11 Apr 2009 17:39:15 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:39:15 GMT) Full text and rfc822 format available.

Message #30 received at 520046-close@bugs.debian.org (full text, mbox):

From: Sebastian Dröge <slomo@debian.org>
To: 520046-close@bugs.debian.org
Subject: Bug#520046: fixed in glib2.0 2.16.6-1+lenny1
Date: Sat, 11 Apr 2009 16:47:14 +0000
Source: glib2.0
Source-Version: 2.16.6-1+lenny1

We believe that the bug you reported is fixed in the latest version of
glib2.0, which is due to be installed in the Debian FTP archive:

glib2.0_2.16.6-1+lenny1.diff.gz
  to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.diff.gz
glib2.0_2.16.6-1+lenny1.dsc
  to pool/main/g/glib2.0/glib2.0_2.16.6-1+lenny1.dsc
libgio-fam_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libgio-fam_2.16.6-1+lenny1_amd64.deb
libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
libglib2.0-0_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-0_2.16.6-1+lenny1_amd64.deb
libglib2.0-data_2.16.6-1+lenny1_all.deb
  to pool/main/g/glib2.0/libglib2.0-data_2.16.6-1+lenny1_all.deb
libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
  to pool/main/g/glib2.0/libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
libglib2.0-doc_2.16.6-1+lenny1_all.deb
  to pool/main/g/glib2.0/libglib2.0-doc_2.16.6-1+lenny1_all.deb
libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
  to pool/main/g/glib2.0/libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520046@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated glib2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 17 Mar 2009 13:40:17 +0100
Source: glib2.0
Binary: libglib2.0-0 libglib2.0-udeb libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam
Architecture: source all amd64
Version: 2.16.6-1+lenny1
Distribution: stable-security
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 libgio-fam - GLib Input, Output and Streaming Library (fam module)
 libglib2.0-0 - The GLib library of C routines
 libglib2.0-0-dbg - The GLib libraries and debugging symbols
 libglib2.0-data - Common files for GLib library
 libglib2.0-dev - Development files for the GLib library
 libglib2.0-doc - Documentation files for the GLib library
 libglib2.0-udeb - The GLib library of C routines - minimal runtime (udeb)
Closes: 520046
Changes: 
 glib2.0 (2.16.6-1+lenny1) stable-security; urgency=low
 .
   * SECURITY: 12_base64-overflow-CVE-2008-4316.patch:
     + Possible arbitrary code execution when processing large Base64 strings.
       Patch from upstream SVN, fixes CVS-2008-4316 (Closes: #520046).
Checksums-Sha1: 
 ef41031a66f10049f9a76246ff122cb028559db5 1475 glib2.0_2.16.6-1+lenny1.dsc
 c4a0a564cced1f1af1280294503da4d9c82616a8 6491460 glib2.0_2.16.6.orig.tar.gz
 e9efad0dbaf0e9b45d016ef91a5379bea307bee1 32351 glib2.0_2.16.6-1+lenny1.diff.gz
 5f3fbc3148a6e6ff0ef7e39cbfeb6a4023280d05 699192 libglib2.0-data_2.16.6-1+lenny1_all.deb
 56d45e558a99f2599fea371fdcdbfc3e8104b1ab 1157604 libglib2.0-doc_2.16.6-1+lenny1_all.deb
 e415966fa0d597d9dc01c48f9f4560ac52fd3cc8 826938 libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 a85997c7a34b3a4f2c8f427ee93b5ad1811ee8d9 1310078 libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 721ba79b29e22dfff6397c0e3ef176f667356489 989946 libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 4ae74266bb44dbe012b7234357b51ec48636893e 1206420 libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 420b78934ee252d4b550c481f3e35807b2f46749 46542 libgio-fam_2.16.6-1+lenny1_amd64.deb
Checksums-Sha256: 
 0e1aa8c2efb5c7ba81c149d7827fde908cf65150a5d946c61f95f03dc917d3fc 1475 glib2.0_2.16.6-1+lenny1.dsc
 977d5720f7f43a76261804e79cade381fa874385a45bf52a9cc4440106256f88 6491460 glib2.0_2.16.6.orig.tar.gz
 481d3b9a1504c3f345fd4c8565f381a2aa2b0e2b4c46fc14075dfbd71baa8a7a 32351 glib2.0_2.16.6-1+lenny1.diff.gz
 04d52f677fb61ab6734a4980b08ba11c49c6a1cadea939bb4460cff887496d98 699192 libglib2.0-data_2.16.6-1+lenny1_all.deb
 c9a71b104464cdcef768095c4dc4fceb3ff583e1243be0e36c0a95fcff7f5da4 1157604 libglib2.0-doc_2.16.6-1+lenny1_all.deb
 08ff051800593d58a27f23ae873e1078d13d573a6486b6cf795a8e5f7dc2f586 826938 libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 f6b360b8713a57063f62c6afe0903902e9e877f0798239b3c9bc51662e15d5c6 1310078 libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 f648c22d8264ee05aa3c2d2f67c8ae4da5d394849d30460a34b63ed3892c83d5 989946 libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 0e000649e833520181a62374d984fbc308e37594ca628a01543b19f7fe4b70b8 1206420 libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 0fd5d9264484ebfa5909a492b6fe4f43d018d90f6327efb9982c31239d45462c 46542 libgio-fam_2.16.6-1+lenny1_amd64.deb
Files: 
 59ca34e703bf0a798746cdeca3a2c051 1475 libs optional glib2.0_2.16.6-1+lenny1.dsc
 65c594a471406a377bee8171a2ea43d4 6491460 libs optional glib2.0_2.16.6.orig.tar.gz
 22cac59cf4481cdddc9802be93dc4100 32351 libs optional glib2.0_2.16.6-1+lenny1.diff.gz
 9edb95995e450eb2609589b2606c8e6b 699192 misc optional libglib2.0-data_2.16.6-1+lenny1_all.deb
 ab17084a6d7d448c1316d6e247ae5cdc 1157604 doc optional libglib2.0-doc_2.16.6-1+lenny1_all.deb
 87687e0cd4a03c7fbcaebad25ca07436 826938 libs optional libglib2.0-0_2.16.6-1+lenny1_amd64.deb
 14bbc4e19f36469df8d57ab454a5daf0 1310078 debian-installer optional libglib2.0-udeb_2.16.6-1+lenny1_amd64.udeb
 66e6c9941573937ffc015fe4356d1b81 989946 libdevel optional libglib2.0-dev_2.16.6-1+lenny1_amd64.deb
 16cfc02b6ff9d1c25ecd72a25c0dd404 1206420 libdevel extra libglib2.0-0-dbg_2.16.6-1+lenny1_amd64.deb
 8cbe7a8cd81a83ac4362b85b6c8b563c 46542 libs optional libgio-fam_2.16.6-1+lenny1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm/qeYACgkQBsBdh1vkHyGfugCdHFI8Hazk29pHoxlWDE7/APYY
YPYAoJeQF+0JuNQJv3VU99MHwF3KkpGU
=jQle
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:31:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:53:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.