Debian Bug report logs - #584932
CVE-2010-1938

version graph

Package: opie; Maintainer for opie is Michael Stone <mstone@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 7 Jun 2010 16:21:01 UTC

Severity: grave

Tags: security

Fixed in version opie/2.32.dfsg.1-0.2

Done: Jan Hauke Rahm <jhr@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Michael Stone <mstone@debian.org>:
Bug#584932; Package opie. (Mon, 07 Jun 2010 16:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Michael Stone <mstone@debian.org>. (Mon, 07 Jun 2010 16:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-1938
Date: Mon, 07 Jun 2010 18:18:00 +0200
Package: opie
Severity: grave
Tags: security

Hi Michael,
please see
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc
for details and a patch. Please fix this for Squeeze.

I don't think we need a DSA for Lenny. However  we could still fix it
through a point update.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Stone <mstone@debian.org>:
Bug#584932; Package opie. (Wed, 16 Jun 2010 15:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <jhr@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Stone <mstone@debian.org>. (Wed, 16 Jun 2010 15:27:04 GMT) Full text and rfc822 format available.

Message #10 received at 584932@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <jhr@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 584932@bugs.debian.org
Subject: Re: Bug#584932: CVE-2010-1938
Date: Wed, 16 Jun 2010 17:26:11 +0200
[Message part 1 (text/plain, inline)]
On Mon, Jun 07, 2010 at 06:18:00PM +0200, Moritz Muehlenhoff wrote:
> Hi Michael,
> please see
> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc
> for details and a patch. Please fix this for Squeeze.
> 
> I don't think we need a DSA for Lenny. However  we could still fix it
> through a point update.

The patch you refer to doesn't work for us as GNU doesn't have strlcpy.
I created a small and simple patch (with review by Sebastian Pipping,
sping at gentoo.org, thanks for that) to avoid writing over the the
maximum strlen. It's attached and uploaded with urgency high to
DELAYED/2.

Hope it's all right.
Hauke

-- 
 .''`.   Jan Hauke Rahm <jhr@debian.org>               www.jhr-online.de
: :'  :  Debian Developer                                 www.debian.org
`. `'`   Member of the Linux Foundation                    www.linux.com
  `-     Fellow of the Free Software Foundation Europe      www.fsfe.org
[opie.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jan Hauke Rahm <jhr@debian.org>:
You have taken responsibility. (Fri, 18 Jun 2010 16:15:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 18 Jun 2010 16:15:12 GMT) Full text and rfc822 format available.

Message #15 received at 584932-close@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <jhr@debian.org>
To: 584932-close@bugs.debian.org
Subject: Bug#584932: fixed in opie 2.32.dfsg.1-0.2
Date: Fri, 18 Jun 2010 16:10:46 +0000
Source: opie
Source-Version: 2.32.dfsg.1-0.2

We believe that the bug you reported is fixed in the latest version of
opie, which is due to be installed in the Debian FTP archive:

libopie-dev_2.32.dfsg.1-0.2_amd64.deb
  to main/o/opie/libopie-dev_2.32.dfsg.1-0.2_amd64.deb
opie-client_2.32.dfsg.1-0.2_amd64.deb
  to main/o/opie/opie-client_2.32.dfsg.1-0.2_amd64.deb
opie-server_2.32.dfsg.1-0.2_amd64.deb
  to main/o/opie/opie-server_2.32.dfsg.1-0.2_amd64.deb
opie_2.32.dfsg.1-0.2.diff.gz
  to main/o/opie/opie_2.32.dfsg.1-0.2.diff.gz
opie_2.32.dfsg.1-0.2.dsc
  to main/o/opie/opie_2.32.dfsg.1-0.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Hauke Rahm <jhr@debian.org> (supplier of updated opie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Jun 2010 17:19:07 +0200
Source: opie
Binary: opie-client opie-server libopie-dev
Architecture: source amd64
Version: 2.32.dfsg.1-0.2
Distribution: unstable
Urgency: high
Maintainer: Michael Stone <mstone@debian.org>
Changed-By: Jan Hauke Rahm <jhr@debian.org>
Description: 
 libopie-dev - OPIE library development files.
 opie-client - OPIE programs for generating OTPs on client machines
 opie-server - OPIE programs for maintaining an OTP key file
Closes: 584932
Changes: 
 opie (2.32.dfsg.1-0.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Urgency high for security relevant RC bug.
   * Set null terminator on strlen()-1 instead of strlen().
     CVE-2010-1938 (Closes: #584932)
Checksums-Sha1: 
 ddabc3d60549f017628b2ded45a20c3f44158004 1050 opie_2.32.dfsg.1-0.2.dsc
 4f0c12cdbea6ddec307f790369c4248e266ddabf 13945 opie_2.32.dfsg.1-0.2.diff.gz
 94f7e0237df9ba204730cfc587a4f7046d91c4c1 43952 opie-client_2.32.dfsg.1-0.2_amd64.deb
 8b1816cd03628a17b991ea4b93e08677a682cbb6 46592 opie-server_2.32.dfsg.1-0.2_amd64.deb
 2294c128494c2287c1a436415e5c71114783386d 31778 libopie-dev_2.32.dfsg.1-0.2_amd64.deb
Checksums-Sha256: 
 5786327a79788f3bffbcbbeaaf3653798c8e2fae3eeb43de7666879b858708a0 1050 opie_2.32.dfsg.1-0.2.dsc
 9c4eb28a885db0b7f765f69f1c1094b392053c3ea4fb4b5543a41f47c56a310b 13945 opie_2.32.dfsg.1-0.2.diff.gz
 7f25ff2674ace35b47103dd4baaa190ddfa232a8894236be08faad2c9dede550 43952 opie-client_2.32.dfsg.1-0.2_amd64.deb
 06d1dd8b9e8dc1ba8fbe7ef1798df9b636965581b97673653844536728f948c5 46592 opie-server_2.32.dfsg.1-0.2_amd64.deb
 a544e78e7f8f94b6c6942827a4d14e68984230c050399d037be45ce05e792c5d 31778 libopie-dev_2.32.dfsg.1-0.2_amd64.deb
Files: 
 80fb1836ec1adf6e7329a418a69c5de6 1050 admin optional opie_2.32.dfsg.1-0.2.dsc
 9c52858bd5d208bf983a6d0c16689f86 13945 admin optional opie_2.32.dfsg.1-0.2.diff.gz
 0d45cbb0603d43e8a0fd66139492aab0 43952 admin optional opie-client_2.32.dfsg.1-0.2_amd64.deb
 5c28ac77dd3b1b39afbc24ca023ef29f 46592 admin optional opie-server_2.32.dfsg.1-0.2_amd64.deb
 b46a60cc1508682f2928a58d47a911da 31778 devel optional libopie-dev_2.32.dfsg.1-0.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iFYEAREKAAYFAkwY7CIACgkQGOp6XeD8cQ3VCQDeN/8bMrQ9JAWlZq2IGdg43DDw
ScgbVRTqF+W7ZQDfZ2xZJbEy4jtLKH0hDF+mn1LsTlMj7Co5TtocJA==
=vyxz
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:34:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:26:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.