Debian Bug report logs - #576469
imlib2: CVE-2008-6079 multiple vulnerabilities

version graph

Package: imlib2; Maintainer for imlib2 is Alessandro Ghedini <ghedo@debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sun, 4 Apr 2010 22:21:01 UTC

Severity: grave

Tags: security

Found in version 1.4.0-1.2

Fixed in versions 1.4.0-1.2+lenny1, 1.4.2-1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#576469; Package imlib2. (Sun, 04 Apr 2010 22:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane). (Sun, 04 Apr 2010 22:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: imlib2: CVE-2008-6079 multiple vulnerabilities
Date: Sun, 4 Apr 2010 18:19:05 -0400
Package: imlib2
Version: 1.4.0-1.2
Severity: important
Tags: security

Hi,

the following CVE (Common Vulnerabilities & Exposures) id was
published for imlib2, which is claimed fixed by upstream 1.4.2, which
is already in unstable. lenny is very likely affected, but I can't find
any actionable info, so you will need to touch base upstream to figure
this out.

CVE-2008-6079[0]:
| Multiple unspecified vulnerabilities in imlib2 before 1.4.2 have
| unknown impact and attack vectors.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6079
    http://security-tracker.debian.org/tracker/CVE-2008-6079




Severity set to 'grave' from 'important' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 05 Apr 2010 13:27:04 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 05 Apr 2010 13:33:08 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 05 Apr 2010 13:33:09 GMT) Full text and rfc822 format available.

Message #12 received at 576469-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 576469-done@bugs.debian.org
Subject: Re: Bug#576469: imlib2: CVE-2008-6079 multiple vulnerabilities
Date: Mon, 5 Apr 2010 15:23:19 +0200
[Message part 1 (text/plain, inline)]
Version: 1.4.2-1

Hey,
* Michael Gilbert <michael.s.gilbert@gmail.com> [2010-04-05 00:34]:
> Package: imlib2
> Version: 1.4.0-1.2
> Severity: important

raised the severity

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for imlib2, which is claimed fixed by upstream 1.4.2, which
> is already in unstable. lenny is very likely affected, but I can't find
> any actionable info, so you will need to touch base upstream to figure
> this out.

This is indeed fixed in 1.4.2. For lenny, yes it is affected and actually I 
already identified and backported the fixes to the lenny version. This is 
about multiple buffer overflows (heap and stack based) in various loaders. The 
stable update will come today or tomorrow.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 05 Apr 2010 14:42:04 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 05 Apr 2010 14:42:04 GMT) Full text and rfc822 format available.

Message #17 received at 576469-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 576469-done@bugs.debian.org
Date: Mon, 5 Apr 2010 16:37:51 +0200
[Message part 1 (text/plain, inline)]
Version: 1.4.0-1+lenny1

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug No longer marked as fixed in versions 1.4.0-1+lenny1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 05 Apr 2010 14:57:09 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 1.4.0-1.2+lenny1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 05 Apr 2010 15:03:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:40:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:19:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.