Debian Bug report logs - #593299
barnowl: CVE-2010-2725

version graph

Package: barnowl; Maintainer for barnowl is Sam Hartman <hartmans@debian.org>; Source for barnowl is src:barnowl.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Tue, 17 Aug 2010 01:33:02 UTC

Severity: serious

Tags: security

Found in version barnowl/1.5.1-1

Fixed in versions barnowl/1.6.2-1, barnowl/1.0.1-4+lenny2

Done: Sebastien Delafond <seb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#593299; Package barnowl. (Tue, 17 Aug 2010 01:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 17 Aug 2010 01:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: barnowl: CVE-2010-2725
Date: Mon, 16 Aug 2010 21:28:42 -0400
Package: barnowl
Version: 1.5.1-1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for barnowl.

CVE-2010-2725[0]:
| BarnOwl before 1.6.2 does not check the return code of calls to the
| (1) ZPending and (2) ZReceiveNotice functions in libzephyr, which
| allows remote attackers to cause a denial of service (crash) and
| possibly execute arbitrary code via unknown vectors.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2725
    http://security-tracker.debian.org/tracker/CVE-2010-2725




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#593299; Package barnowl. (Tue, 17 Aug 2010 12:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Tue, 17 Aug 2010 12:48:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 593299@bugs.debian.org, submit@bugs.debian.org
Subject: Re: Bug#593299: barnowl: CVE-2010-2725
Date: Tue, 17 Aug 2010 08:45:26 -0400
Will upload 1.6.2.

I guess I should do something about testing too.  I'll ask -release if
they will permit 1.6.2 into testing but kind of expect a no answer, so
I'll proabably need to prepare something for tpu.

--Sam




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#593299; Package barnowl. (Tue, 17 Aug 2010 12:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Tue, 17 Aug 2010 12:48:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#593299; Package barnowl. (Tue, 17 Aug 2010 15:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 17 Aug 2010 15:09:06 GMT) Full text and rfc822 format available.

Message #20 received at 593299@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 593299@bugs.debian.org
Subject: Re: Bug#593299: barnowl: CVE-2010-2725
Date: Tue, 17 Aug 2010 11:04:37 -0400
On Tue, 17 Aug 2010 08:45:26 -0400, Sam Hartman wrote:
> Will upload 1.6.2.
> 
> I guess I should do something about testing too.  I'll ask -release if
> they will permit 1.6.2 into testing but kind of expect a no answer, so
> I'll proabably need to prepare something for tpu.

they'll usually grant exceptions for RC issues, and i've seen a couple
other 'new upsteams' get unblocked since its still very early in the
freeze.

mike




Added tag(s) pending. Request was from Sam Hartman <hartmans@debian.org> to control@bugs.debian.org. (Tue, 17 Aug 2010 21:09:11 GMT) Full text and rfc822 format available.

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Wed, 18 Aug 2010 00:06:05 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Wed, 18 Aug 2010 00:06:05 GMT) Full text and rfc822 format available.

Message #27 received at 593299-close@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: 593299-close@bugs.debian.org
Subject: Bug#593299: fixed in barnowl 1.6.2-1
Date: Wed, 18 Aug 2010 00:02:07 +0000
Source: barnowl
Source-Version: 1.6.2-1

We believe that the bug you reported is fixed in the latest version of
barnowl, which is due to be installed in the Debian FTP archive:

barnowl_1.6.2-1.debian.tar.gz
  to main/b/barnowl/barnowl_1.6.2-1.debian.tar.gz
barnowl_1.6.2-1.dsc
  to main/b/barnowl/barnowl_1.6.2-1.dsc
barnowl_1.6.2-1_i386.deb
  to main/b/barnowl/barnowl_1.6.2-1_i386.deb
barnowl_1.6.2.orig.tar.gz
  to main/b/barnowl/barnowl_1.6.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593299@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated barnowl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 17 Aug 2010 18:47:15 -0400
Source: barnowl
Binary: barnowl
Architecture: source i386
Version: 1.6.2-1
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 barnowl    - A curses-based tty Jabber, IRC, AIM  and Zephyr client
Closes: 593299
Changes: 
 barnowl (1.6.2-1) unstable; urgency=low
 .
   * New Upstream version
   * Fixes cve-2010-2725, Closes: #593299
   * Build conflict with barnowl because t/mock.pl is broken and old
     version of barnowl mess up current versions tests.
Checksums-Sha1: 
 d6c61ad329eb967ffcb7831dec902bb25dd7597b 1313 barnowl_1.6.2-1.dsc
 26331a81c0def4bcfc99518c6d0ef781ae1fc4a3 850059 barnowl_1.6.2.orig.tar.gz
 0f3a3b8e16755e2659cc1bd5acfc68435a36b652 6615 barnowl_1.6.2-1.debian.tar.gz
 fdc2db73cd197970c79096849f567e392b51fe83 505838 barnowl_1.6.2-1_i386.deb
Checksums-Sha256: 
 c7beb52c3a8da23f9d2079e6850623dbfcf27876282cef20301bd5700a6411f5 1313 barnowl_1.6.2-1.dsc
 a3e7a05275fc44004067bdcfa1dfd99847d9a176c284b7261087a51828a89545 850059 barnowl_1.6.2.orig.tar.gz
 44187eb3375ff2c3e62c3e4dadca8f2ef032e1d5dfaf3e831bd30c06ebdb96c0 6615 barnowl_1.6.2-1.debian.tar.gz
 5a81ff8999b537acbda1743adde8f2aed06471a3acdc5b8e0d044da827ff7a43 505838 barnowl_1.6.2-1_i386.deb
Files: 
 fa3c3ce3664d81f4a43117ed68162aa7 1313 net optional barnowl_1.6.2-1.dsc
 e21529853f276c9d75be2975767ae45e 850059 net optional barnowl_1.6.2.orig.tar.gz
 388d92c0bfe4b8447b22b519b0eac2db 6615 net optional barnowl_1.6.2-1.debian.tar.gz
 7e2ecef58daf88e194be9c873c5eeaa0 505838 net optional barnowl_1.6.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxrGwAACgkQ/I12czyGJg+45gCgrq6brbYy+cPaQIHTRB3d1vi5
dC4AoOrLimSv7XLOg+s6DdUh+14VMe4N
=BWKA
-----END PGP SIGNATURE-----





Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Sun, 05 Sep 2010 14:03:07 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 05 Sep 2010 14:03:07 GMT) Full text and rfc822 format available.

Message #32 received at 593299-close@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 593299-close@bugs.debian.org
Subject: Bug#593299: fixed in barnowl 1.0.1-4+lenny2
Date: Sun, 05 Sep 2010 13:59:12 +0000
Source: barnowl
Source-Version: 1.0.1-4+lenny2

We believe that the bug you reported is fixed in the latest version of
barnowl, which is due to be installed in the Debian FTP archive:

barnowl-irc_1.0.1-4+lenny2_all.deb
  to main/b/barnowl/barnowl-irc_1.0.1-4+lenny2_all.deb
barnowl_1.0.1-4+lenny2.diff.gz
  to main/b/barnowl/barnowl_1.0.1-4+lenny2.diff.gz
barnowl_1.0.1-4+lenny2.dsc
  to main/b/barnowl/barnowl_1.0.1-4+lenny2.dsc
barnowl_1.0.1-4+lenny2_i386.deb
  to main/b/barnowl/barnowl_1.0.1-4+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593299@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated barnowl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Sep 2010 20:36:01 +0200
Source: barnowl
Binary: barnowl barnowl-irc
Architecture: source all i386
Version: 1.0.1-4+lenny2
Distribution: stable-security
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 barnowl    - A curses-based tty Jabber and Zephyr client
 barnowl-irc - Provide IRC support for the BarnOwl Zephyr client
Closes: 593299
Changes: 
 barnowl (1.0.1-4+lenny2) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Check the return code of calls to ZPending and ZReceiveNotice
     functions in zephyr.c (Closes: #593299).
     CVE-2010-2725.
Checksums-Sha1: 
 f97eed677dc9804ee9e9e10460c6ccc05ac08d6b 1131 barnowl_1.0.1-4+lenny2.dsc
 05f82c9736df6b5a7315f96d76312a08e8306510 17407 barnowl_1.0.1-4+lenny2.diff.gz
 18905a643db145c92ac4fbd79d2514c201e0fbd6 39502 barnowl-irc_1.0.1-4+lenny2_all.deb
 33f4d73f0cf190115bf8f0cd58ce51bebd31e89f 468532 barnowl_1.0.1-4+lenny2_i386.deb
Checksums-Sha256: 
 5da4c45ee8b9dd8a8d06f4d2c7ed96d43ea60bb7c9f595dda78442e2d3b50812 1131 barnowl_1.0.1-4+lenny2.dsc
 ebcd69c320644abd4f05ad606097b96d4748683256f147525ba159925d2a219b 17407 barnowl_1.0.1-4+lenny2.diff.gz
 70e0b5378173fbcc3c945d6f38e3efe0faf0ba6644d79d07751a5a470ca5820b 39502 barnowl-irc_1.0.1-4+lenny2_all.deb
 2f3570b37da0ceee3ac34e3bba80ec6ee5a42a59eb3d26a34034eb8d6f90aac9 468532 barnowl_1.0.1-4+lenny2_i386.deb
Files: 
 2cf38ea3565cbc819c2599045d41e594 1131 net optional barnowl_1.0.1-4+lenny2.dsc
 6eef7b2e31097c85d1fce993e9d08f27 17407 net optional barnowl_1.0.1-4+lenny2.diff.gz
 7dd6dd51b6f8fbb189e174390973d0e0 39502 net extra barnowl-irc_1.0.1-4+lenny2_all.deb
 e70847f4b14dde80a4afcbf095f738bf 468532 net optional barnowl_1.0.1-4+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx+o2wACgkQiZgNKcDdyD9g4ACgmcijuoviMi4NIJBhpVOhJgR9
WPUAn3TBnwTy8Y1y8c+hWq5zpfZzD8lj
=6tn8
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Oct 2010 07:37:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:54:19 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.