[Secure-testing-team] Re: Security issues in package ekg
Felipe Augusto van de Wiel (faw)
felipe at cathedrallabs.org
Thu Mar 22 02:39:08 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Marcin,
On 03/21/2007 11:37 AM, Marcin Owsiany wrote:
[...]
> 2661: A memory leak in handling image messages, which may cause memory
> exhaustion resulting in a DoS (ekg program crash). Exploitable by a
> hostile GG user.
[...]
> ----------------+-------------------+---------------+-----------------------------
> Dist | Contains version | Vulnerable to | Version (to be) fixed in
> ----------------+-------------------+---------------+-----------------------------
> UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already released)
> sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7
> sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1
> sarge-volatile | 1:1.5+20050411-6 | 2661 only (*) | 1:1.5+20050411-8
> ----------------+-------------------+---------------+-----------------------------
>
> (*) No GIF OCR code was in these versions, thus they are not vulnerable
>
> Please have a look at the attached minimal patches, I intend to apply
> them to respective versions of updated packages.
>
> Please allocate CVEs for the 3 above issues. I will prepare new packages
> once I have the CVEs.
Thanks for detailed report.
Probably would be good to have an ack, so, for Debian Volatile:
ACK! :-)
> regards,
> Marcin
[...]
Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGAd48CjAO0JDlykYRAqlAAKCn2HgyQHMLf3CzIdGw5ucw3Ga1jQCgvFzX
xS7ymLc3JbjV6Ru7n3vnLtg=
=lJ38
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list