XPM vulnerability as well present in lesstif

Automatically imported from Debian bug report #273591 http://bugs.debian.org/273591

Message-Id: <email address hidden>
Date: Mon, 27 Sep 2004 10:21:41 +0200
From: Moritz =?ISO-8859-1?Q?M=FChlenhoff?= <email address hidden>
To: <email address hidden>
Subject: XPM vulnerability as well present in lesstif

Package: lesstif2
Version: 1:0.93.94-8
Severity: grave
Tags: security

Hi,
the recent XPM vulnerabilities affect lesstif as well, as they seem to
include a forked version in their distribution. See this CVS commit
message for the concrete fix:
http://sourceforge.net/mailarchive/forum.php?thread_id=3D5594360&forum_id=
=3D30340

Latest upstream fixes the problem as well.

I'm setting this severity to "grave", as the other XPM vulnerabilities
claimed to allow remote code execution. If this is not the case with
lesstif feel free to downgrade the severity.

Cheers,
         Moritz

--=20
Moritz M=FChlenhoff <email address hidden> fon: +49 421 22 232- =
0
Development Linux for Your Business =20
Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99

Request permission to upload.

approved, thanks!

Fixed with 1:0.93.94-4ubuntu1 upload.

Message-Id: <email address hidden>
Date: Mon, 27 Sep 2004 16:47:10 -0400
From: Sam Hocevar (Debian packages) <email address hidden>
To: <email address hidden>
Subject: Bug#273591: fixed in lesstif1-1 1:0.93.94-9

Source: lesstif1-1
Source-Version: 1:0.93.94-9

We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:

lesstif-bin_0.93.94-9_i386.deb
  to pool/main/l/lesstif1-1/lesstif-bin_0.93.94-9_i386.deb
lesstif-dev_0.93.94-9_i386.deb
  to pool/main/l/lesstif1-1/lesstif-dev_0.93.94-9_i386.deb
lesstif-doc_0.93.94-9_all.deb
  to pool/main/l/lesstif1-1/lesstif-doc_0.93.94-9_all.deb
lesstif1-1_0.93.94-9.diff.gz
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-9.diff.gz
lesstif1-1_0.93.94-9.dsc
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-9.dsc
lesstif1_0.93.94-9_i386.deb
  to pool/main/l/lesstif1-1/lesstif1_0.93.94-9_i386.deb
lesstif2-dev_0.93.94-9_i386.deb
  to pool/main/l/lesstif1-1/lesstif2-dev_0.93.94-9_i386.deb
lesstif2_0.93.94-9_i386.deb
  to pool/main/l/lesstif1-1/lesstif2_0.93.94-9_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 27 Sep 2004 14:13:38 +0200
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-9
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
 lesstif-bin - user binaries for LessTif
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif-doc - documentation for LessTif
 lesstif1 - OSF/Motif 1.2 implementation released under LGPL
 lesstif2 - OSF/Motif 2.1 implementation released under LGPL
 lesstif2-dev - development library and header files for LessTif 2.1
Closes: 271631 273591
Changes:
 lesstif1-1 (1:0.93.94-9) unstable; urgency=high
 .
   * Urgency = high because of a security fix.
   * lib/Xm-2.1: backported changes from upstream's 0.93.96 release, which
     cannot be packaged as it removes support for lesstif1 (Closes: #271631):
     + Adds scroll wheel support.
     + Fix uninitialised memory usage.
     + XPM vulnerability fix (Closes: #273591).
   * lib/Xm: backported the XPM vulnerability fix to lesstif1.
Files:
 c1aadf14859488bd4ebc5fa9be3effe4 848 libs optional lesstif1-1_0.93.94-9.dsc
 4184de66db5560d2bde376ee436339f7 63345 libs optional lesstif1-1_0.93.94-9.diff.gz
 b57bc81ea20699ecbdb85764e932e229 342466 doc optional lesstif-doc_0.93.94-9_all.deb
 b57a943ee...