Debian Bug report logs - #528510
cscope: CVE-2009-0148 multiple buffer overflows

version graph

Package: cscope; Maintainer for cscope is Tobias Klauser <tklauser@distanz.ch>; Source for cscope is src:cscope.

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 13 May 2009 11:06:04 UTC

Severity: grave

Tags: security

Fixed in version cscope/15.7a-1

Done: Tobias Klauser <tklauser@distanz.ch>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tobias Klauser <tklauser@distanz.ch>:
Bug#528510; Package cscope. (Wed, 13 May 2009 11:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Tobias Klauser <tklauser@distanz.ch>. (Wed, 13 May 2009 11:06:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: cscope: CVE-2009-0148 multiple buffer overflows
Date: Wed, 13 May 2009 13:02:06 +0200
[Message part 1 (text/plain, inline)]
Package: cscope
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for cscope.

CVE-2009-0148[0]:
| Multiple buffer overflows in Cscope before 15.7a allow remote
| attackers to execute arbitrary code via long strings in input such as
| (1) source-code tokens and (2) pathnames, related to integer overflows
| in some cases. NOTE: this issue exists because of an incomplete fix
| for CVE-2004-2541.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0148
    http://security-tracker.debian.net/tracker/CVE-2009-0148

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Tobias Klauser <tklauser@distanz.ch>:
You have taken responsibility. (Tue, 09 Jun 2009 12:36:07 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Tue, 09 Jun 2009 12:36:07 GMT) Full text and rfc822 format available.

Message #10 received at 528510-close@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@distanz.ch>
To: 528510-close@bugs.debian.org
Subject: Bug#528510: fixed in cscope 15.7a-1
Date: Tue, 09 Jun 2009 12:17:10 +0000
Source: cscope
Source-Version: 15.7a-1

We believe that the bug you reported is fixed in the latest version of
cscope, which is due to be installed in the Debian FTP archive:

cscope_15.7a-1.diff.gz
  to pool/main/c/cscope/cscope_15.7a-1.diff.gz
cscope_15.7a-1.dsc
  to pool/main/c/cscope/cscope_15.7a-1.dsc
cscope_15.7a-1_i386.deb
  to pool/main/c/cscope/cscope_15.7a-1_i386.deb
cscope_15.7a.orig.tar.gz
  to pool/main/c/cscope/cscope_15.7a.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Klauser <tklauser@distanz.ch> (supplier of updated cscope package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 May 2009 12:13:47 +0200
Source: cscope
Binary: cscope
Architecture: source i386
Version: 15.7a-1
Distribution: unstable
Urgency: high
Maintainer: Tobias Klauser <tklauser@distanz.ch>
Changed-By: Tobias Klauser <tklauser@distanz.ch>
Description: 
 cscope     - Interactively examine a C program source
Closes: 515164 528510
Changes: 
 cscope (15.7a-1) unstable; urgency=high
 .
   * New upstream release.
     - Security update for CVE-2009-0148 to fix multiple buffer overflows
       (Closes: #528510).
     - Drop 01-fix-resize-crash-inside-vim.dpatch, merged upstream.
   * Correctly install xcscope.el via dh_installemacsen (Closes: #515164).
   * Update to Standards-Version 3.8.1, no changes needed.
Checksums-Sha1: 
 c8639b506d3ee332858005d17cbf95ad9d3093ed 1149 cscope_15.7a-1.dsc
 33d3dd36dcca95ce199d2ad07d7fa9fce2e9a6f9 429251 cscope_15.7a.orig.tar.gz
 e008766343ea64ddb0edd621281b86fe7494c1ac 16951 cscope_15.7a-1.diff.gz
 11ad2a03d3b35c444d0f8fa3a4cc83d1128fcd6a 153178 cscope_15.7a-1_i386.deb
Checksums-Sha256: 
 2804ca570f12af4637a6db2356e34b4ccc07f26dd1f5cfc8a8d171ba86fafd6f 1149 cscope_15.7a-1.dsc
 1f04362e865b9ab2b470f0845531111881e76b55f68d7892b15ddbc38641fe26 429251 cscope_15.7a.orig.tar.gz
 e25fd9c86fe8dc464b8409aa76a0bb5cfba534f1599409aa8bd71e2dcb156376 16951 cscope_15.7a-1.diff.gz
 d5157e663cba6ca965c47dd868cdab591a365853b7311f52eec6060320652204 153178 cscope_15.7a-1_i386.deb
Files: 
 4896c50a763f012c3a4bb72c2812742e 1149 devel optional cscope_15.7a-1.dsc
 90d1b66dafa355307195c7153cec6d5c 429251 devel optional cscope_15.7a.orig.tar.gz
 018a295298250bec6cc09e717a90a7f9 16951 devel optional cscope_15.7a-1.diff.gz
 652128d8315683ee56849da1248bb426 153178 devel optional cscope_15.7a-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkouT6kACgkQ+C5cwEsrK54pPgCfW8EtWsiZ6nxhS4lHWw0c4Y5+
JJsAn0x3wzSWxAG9GS0NFSxQFLdV52On
=8vJx
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jul 2009 07:27:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 16:03:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.