Debian Bug report logs - #601181
openscenegraph uses an embedded copy of vulnerable lib3ds

version graph

Package: libopenscenegraph7; Maintainer for libopenscenegraph7 is (unknown);

Reported by: Silvio Cesare <silvio.cesare@gmail.com>

Date: Sun, 24 Oct 2010 06:15:02 UTC

Severity: important

Tags: security

Found in version openscenegraph/2.4.0-1.1

Fixed in version openscenegraph/2.4.0-1.1+lenny1

Done: Alberto Luaces <aluaces@udc.es>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Loic Dachary (OuoU) <loic@debian.org>:
Bug#601181; Package libopenscenegraph7. (Sun, 24 Oct 2010 06:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Silvio Cesare <silvio.cesare@gmail.com>:
New Bug report received and forwarded. Copy sent to Loic Dachary (OuoU) <loic@debian.org>. (Sun, 24 Oct 2010 06:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Silvio Cesare <silvio.cesare@gmail.com>
To: submit@bugs.debian.org
Subject: openscenegraph uses an embedded copy of vulnerable lib3ds
Date: Sun, 24 Oct 2010 17:13:58 +1100
[Message part 1 (text/plain, inline)]
Package: libopenscenegraph7
Version: 2.4.0-1.1
Severity: important
Tags: security

openscenegraph uses an embedded copy of lib3ds 1.1. This version of lib3ds
is vulnerable to http://security-tracker.debian.org/tracker/CVE-2010-0280.
The desired outcome is that openscenegraph use the system wide lib3ds
library instead of the embedded copy.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Loic Dachary (OuoU) <loic@debian.org>:
Bug#601181; Package libopenscenegraph7. (Tue, 26 Oct 2010 12:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alberto Luaces <aluaces@udc.es>:
Extra info received and forwarded to list. Copy sent to Loic Dachary (OuoU) <loic@debian.org>. (Tue, 26 Oct 2010 12:03:05 GMT) Full text and rfc822 format available.

Message #10 received at 601181@bugs.debian.org (full text, mbox):

From: Alberto Luaces <aluaces@udc.es>
To: Silvio Cesare <silvio.cesare@gmail.com>
Cc: 601181@bugs.debian.org
Subject: Re: Bug#601181: openscenegraph uses an embedded copy of vulnerable lib3ds
Date: Tue, 26 Oct 2010 13:51:57 +0200
This will take some time. As I expect we all feared :) , the embedded
copy of lib3ds in OSG is modified in order to address endianess
issues and things like that.

I will get a patch as soon as I can.




Reply sent to Alberto Luaces <aluaces@udc.es>:
You have taken responsibility. (Thu, 18 Nov 2010 02:10:35 GMT) Full text and rfc822 format available.

Notification sent to Silvio Cesare <silvio.cesare@gmail.com>:
Bug acknowledged by developer. (Thu, 18 Nov 2010 02:10:35 GMT) Full text and rfc822 format available.

Message #15 received at 601181-close@bugs.debian.org (full text, mbox):

From: Alberto Luaces <aluaces@udc.es>
To: 601181-close@bugs.debian.org
Subject: Bug#601181: fixed in openscenegraph 2.4.0-1.1+lenny1
Date: Thu, 18 Nov 2010 02:00:03 +0000
Source: openscenegraph
Source-Version: 2.4.0-1.1+lenny1

We believe that the bug you reported is fixed in the latest version of
openscenegraph, which is due to be installed in the Debian FTP archive:

libopenscenegraph-dev_2.4.0-1.1+lenny1_amd64.deb
  to main/o/openscenegraph/libopenscenegraph-dev_2.4.0-1.1+lenny1_amd64.deb
libopenscenegraph7_2.4.0-1.1+lenny1_amd64.deb
  to main/o/openscenegraph/libopenscenegraph7_2.4.0-1.1+lenny1_amd64.deb
libopenthreads-dev_2.4.0-1.1+lenny1_amd64.deb
  to main/o/openscenegraph/libopenthreads-dev_2.4.0-1.1+lenny1_amd64.deb
libopenthreads7_2.4.0-1.1+lenny1_amd64.deb
  to main/o/openscenegraph/libopenthreads7_2.4.0-1.1+lenny1_amd64.deb
openscenegraph-doc_2.4.0-1.1+lenny1_all.deb
  to main/o/openscenegraph/openscenegraph-doc_2.4.0-1.1+lenny1_all.deb
openscenegraph_2.4.0-1.1+lenny1.diff.gz
  to main/o/openscenegraph/openscenegraph_2.4.0-1.1+lenny1.diff.gz
openscenegraph_2.4.0-1.1+lenny1.dsc
  to main/o/openscenegraph/openscenegraph_2.4.0-1.1+lenny1.dsc
openscenegraph_2.4.0-1.1+lenny1_amd64.deb
  to main/o/openscenegraph/openscenegraph_2.4.0-1.1+lenny1_amd64.deb
openthreads-doc_2.4.0-1.1+lenny1_all.deb
  to main/o/openscenegraph/openthreads-doc_2.4.0-1.1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601181@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Luaces <aluaces@udc.es> (supplier of updated openscenegraph package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 11 Nov 2010 10:08:03 +0100
Source: openscenegraph
Binary: libopenthreads-dev libopenthreads7 openthreads-doc libopenscenegraph-dev libopenscenegraph7 openscenegraph-doc openscenegraph
Architecture: source amd64 all
Version: 2.4.0-1.1+lenny1
Distribution: stable
Urgency: high
Maintainer: Loic Dachary (OuoU) <loic@debian.org>
Changed-By: Alberto Luaces <aluaces@udc.es>
Description: 
 libopenscenegraph-dev - 3D scenegraph development files
 libopenscenegraph7 - 3D scenegraph
 libopenthreads-dev - Object-Oriented (OO) thread interface for C++ programmers, develo
 libopenthreads7 - Object-Oriented (OO) thread interface for C++ programmers, develo
 openscenegraph - 3D scenegraph binary files
 openscenegraph-doc - 3D scenegraph documentation
 openthreads-doc - Documentation for Object-Oriented (OO) thread interface
Closes: 601181
Changes: 
 openscenegraph (2.4.0-1.1+lenny1) stable; urgency=high
 .
   * A vulnerability (CVE-2010-0280) was detected in OSG's embedded copy of
     lib3ds. Applying the same patch for lib3ds in Squeeze, since there are
     few chances for lib3ds to get updated in Lenny (Closes: #601181).
Checksums-Sha1: 
 28eb0643e44f1f53a1d104ec0f7e92d0730f8564 1464 openscenegraph_2.4.0-1.1+lenny1.dsc
 0f1eab92868cf918f2ebac22e2703c3f9c331a79 15993 openscenegraph_2.4.0-1.1+lenny1.diff.gz
 8f48a3f10d12466bf1d9866f1afd5e4d6c91c538 15344 libopenthreads-dev_2.4.0-1.1+lenny1_amd64.deb
 98201762fb0bd84373417d471f9e005ab453b693 18902 libopenthreads7_2.4.0-1.1+lenny1_amd64.deb
 68905c831d3763fba79ed4654623cbfacd46eee7 7542 openthreads-doc_2.4.0-1.1+lenny1_all.deb
 354e36629af42ca5a5c49d645c91d67cb1448936 425114 libopenscenegraph-dev_2.4.0-1.1+lenny1_amd64.deb
 2f29902c143245e5e847e2ba17e3f69ae7eac1a0 5312358 libopenscenegraph7_2.4.0-1.1+lenny1_amd64.deb
 a8364c41a3a346923b653ff7615c78cd1490b596 7553026 openscenegraph-doc_2.4.0-1.1+lenny1_all.deb
 68ded53c19f6d0c27703549305d5ab636c6e1512 2422710 openscenegraph_2.4.0-1.1+lenny1_amd64.deb
Checksums-Sha256: 
 22384a06cd0b1b362facf0212188ba75dc096e08ae4b0fe015bd4fc821284d1b 1464 openscenegraph_2.4.0-1.1+lenny1.dsc
 6fd16b4631f9fecd33b84aa4f76145e6f880eb5bcaa739f0f3553be8c6bb9b7b 15993 openscenegraph_2.4.0-1.1+lenny1.diff.gz
 5db509ffd70b251511384b813752c5fbcb737a8404b4329699e595f0a63383e9 15344 libopenthreads-dev_2.4.0-1.1+lenny1_amd64.deb
 1fa99e59ed386f9714b67d91b077c742ce3380e39007cd47f5a1d619c0b730a0 18902 libopenthreads7_2.4.0-1.1+lenny1_amd64.deb
 1e6b7301fef0478007fa943cedabf781e7a780ad0541c9a1c6af1398ab4bac1a 7542 openthreads-doc_2.4.0-1.1+lenny1_all.deb
 cbcd429559eae989289dac1ae86c975860c4a7ec4bd9f722d2b4225ce1538f7e 425114 libopenscenegraph-dev_2.4.0-1.1+lenny1_amd64.deb
 2ee41bba15ae798aa486843ecc22a03186d00f49731c26662b3a384bed8ca189 5312358 libopenscenegraph7_2.4.0-1.1+lenny1_amd64.deb
 4aafee6237735e5b06576482dea802236cf2e1b769b509f00c8cacdc4876892d 7553026 openscenegraph-doc_2.4.0-1.1+lenny1_all.deb
 c09849ff3db95b485e256cf695ff423ad640b247786964a1b055312421aab6b2 2422710 openscenegraph_2.4.0-1.1+lenny1_amd64.deb
Files: 
 36e801c926dde3a51fbdcd4119e930c7 1464 devel optional openscenegraph_2.4.0-1.1+lenny1.dsc
 c854ba6cf1c980fc841ce310bf2eb744 15993 devel optional openscenegraph_2.4.0-1.1+lenny1.diff.gz
 c0879d617178a715efc75924384f5330 15344 devel optional libopenthreads-dev_2.4.0-1.1+lenny1_amd64.deb
 c37ce2002237625f1bbde0bbf3b115ee 18902 libs optional libopenthreads7_2.4.0-1.1+lenny1_amd64.deb
 a6bf72bb0eb0939cc3b5009bdf4e9f19 7542 devel optional openthreads-doc_2.4.0-1.1+lenny1_all.deb
 373036eba0f8e269856cc6a832cd6f76 425114 devel optional libopenscenegraph-dev_2.4.0-1.1+lenny1_amd64.deb
 80c59bcf32bcc4d7f93e74c41da41708 5312358 libs optional libopenscenegraph7_2.4.0-1.1+lenny1_amd64.deb
 300c158611c89df8b371a67ae64db8f5 7553026 devel optional openscenegraph-doc_2.4.0-1.1+lenny1_all.deb
 05ddd2d6c03349b6a7de40e3181c2153 2422710 devel optional openscenegraph_2.4.0-1.1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzkICsACgkQ8dLMyEl6F23jswCfWfakia2MrEllCFdDU9rF746g
tFAAoIEdXpWdTgyttBc4uaf1FN3W6RY0
=tukv
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 16 Dec 2010 07:33:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:39:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.