Debian Bug report logs - #580628
dvipng: CVE-2010-0829

version graph

Package: dvipng; Maintainer for dvipng is Varun Hiremath <varun@debian.org>; Source for dvipng is src:dvipng.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 7 May 2010 10:09:02 UTC

Severity: grave

Tags: security

Fixed in version dvipng/1.13-1

Done: Varun Hiremath <varun@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Varun Hiremath <varun@debian.org>:
Bug#580628; Package dvipng. (Fri, 07 May 2010 10:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Varun Hiremath <varun@debian.org>. (Fri, 07 May 2010 10:09:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dvipng: CVE-2010-0829
Date: Fri, 07 May 2010 11:59:11 +0200
Package: dvipng
Severity: grave
Tags: security
Justification: user security hole

Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638

Could you prepare an updated package for stable-security and send it
to team@security.debian.org

Cheers,
        Moritz




Reply sent to Varun Hiremath <varun@debian.org>:
You have taken responsibility. (Sat, 08 May 2010 04:21:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 08 May 2010 04:21:05 GMT) Full text and rfc822 format available.

Message #10 received at 580628-close@bugs.debian.org (full text, mbox):

From: Varun Hiremath <varun@debian.org>
To: 580628-close@bugs.debian.org
Subject: Bug#580628: fixed in dvipng 1.13-1
Date: Sat, 08 May 2010 04:17:07 +0000
Source: dvipng
Source-Version: 1.13-1

We believe that the bug you reported is fixed in the latest version of
dvipng, which is due to be installed in the Debian FTP archive:

dvipng_1.13-1.debian.tar.gz
  to main/d/dvipng/dvipng_1.13-1.debian.tar.gz
dvipng_1.13-1.dsc
  to main/d/dvipng/dvipng_1.13-1.dsc
dvipng_1.13-1_amd64.deb
  to main/d/dvipng/dvipng_1.13-1_amd64.deb
dvipng_1.13.orig.tar.gz
  to main/d/dvipng/dvipng_1.13.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 580628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Varun Hiremath <varun@debian.org> (supplier of updated dvipng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 07 May 2010 23:42:19 -0400
Source: dvipng
Binary: dvipng
Architecture: source amd64
Version: 1.13-1
Distribution: unstable
Urgency: low
Maintainer: Varun Hiremath <varun@debian.org>
Changed-By: Varun Hiremath <varun@debian.org>
Description: 
 dvipng     - convert DVI files to PNG graphics
Closes: 580628
Changes: 
 dvipng (1.13-1) unstable; urgency=low
 .
   * New upstream release
     - Fixes CVE-2010-0829, (Closes: #580628)
   * Switch to source format 3.0
   * Bump Standards-Version to 3.8.4
Checksums-Sha1: 
 c5f448d41a844e67bc3855fa1f41b890308bb74d 1182 dvipng_1.13-1.dsc
 626568203e3f799c99da0f3e31edecb13ce202b6 169309 dvipng_1.13.orig.tar.gz
 683e9a3cb4f9e5c8d430d94e489f3494e8f2a7d2 4472 dvipng_1.13-1.debian.tar.gz
 299cb243ee0c68f617cc3b235b5906ba07f1b097 89740 dvipng_1.13-1_amd64.deb
Checksums-Sha256: 
 30b44e8e1f8e6325af64e1e339322473a0abf5b57687b2d62baa2e88060f95d5 1182 dvipng_1.13-1.dsc
 cbbffb2769fddaeb904d255da4a09ded06699fa2c5cdc076b784645f59cfa5ab 169309 dvipng_1.13.orig.tar.gz
 fae81b10b3337f33743319fe4e66fbed627184f094e94ef2c63f9756a4aee681 4472 dvipng_1.13-1.debian.tar.gz
 e36aab650a81a2a822f54a5d114f8a938712dceb7466e8d02f0bb79d86f9dd20 89740 dvipng_1.13-1_amd64.deb
Files: 
 b956be3f888644e99582fc402e32c345 1182 utils optional dvipng_1.13-1.dsc
 da8d062977cbfeb2fb39b81d28d0b7f3 169309 utils optional dvipng_1.13.orig.tar.gz
 c0c1270fa0fd8401748d807b322bb272 4472 utils optional dvipng_1.13-1.debian.tar.gz
 8a354091f7b99309e54908964fde37fb 89740 utils optional dvipng_1.13-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFL5OGzPEFSUMxFMZcRAgqRAKC/RJCluUSay1QmW9foUNu/qfWEUgCfXC2V
3I/ees8Jyinjkjyl0PvdZgM=
=qIj4
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#580628; Package dvipng. (Sat, 08 May 2010 05:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Varun Hiremath <varun@debian.org>:
Extra info received and forwarded to list. (Sat, 08 May 2010 05:03:03 GMT) Full text and rfc822 format available.

Message #15 received at 580628@bugs.debian.org (full text, mbox):

From: Varun Hiremath <varun@debian.org>
To: team@security.debian.org
Cc: 580628@bugs.debian.org
Subject: Re: Bug#580628: dvipng: CVE-2010-0829
Date: Sat, 8 May 2010 00:59:45 -0400
Hi Debian Security Team,

On Fri, 07 May, 2010 at 11:59:11AM +0200, Moritz Muehlenhoff wrote:
> Package: dvipng
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638
> 
> Could you prepare an updated package for stable-security and send it
> to team@security.debian.org
> 
> Cheers,
>         Moritz

I have prepared a stable-security update for the dvipng package which
fixes CVE-2010-0829, which can be found here:
http://people.debian.org/~varun/dvipng_1.11-1+lenny1.dsc

Please let me know if it fits the requirements and if I can upload it
to stable-security.

Thanks,
Varun




Information forwarded to debian-bugs-dist@lists.debian.org, Varun Hiremath <varun@debian.org>:
Bug#580628; Package dvipng. (Tue, 11 May 2010 19:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Varun Hiremath <varun@debian.org>. (Tue, 11 May 2010 19:15:03 GMT) Full text and rfc822 format available.

Message #20 received at 580628@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Varun Hiremath <varun@debian.org>
Cc: team@security.debian.org, 580628@bugs.debian.org
Subject: Re: Bug#580628: dvipng: CVE-2010-0829
Date: Tue, 11 May 2010 21:13:32 +0200
On Sat, May 08, 2010 at 12:59:45AM -0400, Varun Hiremath wrote:
> Hi Debian Security Team,
> 
> On Fri, 07 May, 2010 at 11:59:11AM +0200, Moritz Muehlenhoff wrote:
> > Package: dvipng
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Please see https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537638
> > 
> > Could you prepare an updated package for stable-security and send it
> > to team@security.debian.org
> > 
> > Cheers,
> >         Moritz
> 
> I have prepared a stable-security update for the dvipng package which
> fixes CVE-2010-0829, which can be found here:
> http://people.debian.org/~varun/dvipng_1.11-1+lenny1.dsc
> 
> Please let me know if it fits the requirements and if I can upload it
> to stable-security.

Thanks. I've opened a ticket in our RT to that the update gets processed.
Since this is a low urgency issue other issues are likely to be scheduled
earlier.

Cheers,
        Moritz




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Jun 2010 07:34:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:17:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.