Martin Schulze
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: ekg: Bug#318970 - possibly remotely exploitable integer overflow
Marcin Owsiany wrote:> This is different from the bugs fixed in DSA-760. > Present in both 1.5+20050712+1.6rc2-1 (testing/sid) and 1.5+20050411-3 > (sarge) and 1.5+20050411-4 (sarge-security). > ekg is not present in oldstable (woody) > > This time there is only one debian bug, for stable and sid versions > together. We''ll see how the BTS version tracking copes with this :) > > Fixed in: > - upstream 1.6rc3 (released on 2005-07-18) > Going to be fixed in: > - 1.5+20050411-5 (interdiff to -4 attached, changelog needs editing - > requesting CAN number from Debian security team) > Other than that, the upload is in > deb http://people.debian.org/~porridge/ekg-sarge/ ./ > - 1.5+20050718+1.6rc3-1 > I will upload this as soon as I have the CAN number. > > Stable security team: please edit the CAN number in changelog in package > at the above URL and make the upload. > > Testing security team: I will upload to sid as soon as I get the CAN > number.Ok, make this CAN-2005-1852. The usual correction would be count >= UINT_MAX / sizeof(uin_t) --> bail out count > 0xffff should catch that case, so the correction is fine. Regards, Joey -- Whenever you meet yourself you''re in a time loop or in front of a mirror. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050719/3e162db2/attachment.pgp
Marcin Owsiany
2006-Mar-13 12:28 UTC
[Secure-testing-team] ekg: Bug#318970 - possibly remotely exploitable integer overflow
This is different from the bugs fixed in DSA-760. Present in both 1.5+20050712+1.6rc2-1 (testing/sid) and 1.5+20050411-3 (sarge) and 1.5+20050411-4 (sarge-security). ekg is not present in oldstable (woody) This time there is only one debian bug, for stable and sid versions together. We''ll see how the BTS version tracking copes with this :) Fixed in: - upstream 1.6rc3 (released on 2005-07-18) Going to be fixed in: - 1.5+20050411-5 (interdiff to -4 attached, changelog needs editing - requesting CAN number from Debian security team) Other than that, the upload is in deb http://people.debian.org/~porridge/ekg-sarge/ ./ - 1.5+20050718+1.6rc3-1 I will upload this as soon as I have the CAN number. Stable security team: please edit the CAN number in changelog in package at the above URL and make the upload. Testing security team: I will upload to sid as soon as I get the CAN number. Marcin -- Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050719/0db1b64e/attachment.pgp