several vulnerabilities

Bug #96712 reported by Michael Bienia
254
Affects Status Importance Assigned to Milestone
ekg (Ubuntu)
Fix Released
Low
Unassigned
Breezy
Invalid
Low
Kees Cook
Dapper
Invalid
Low
Kees Cook
Edgy
Invalid
Low
Kees Cook
Feisty
Fix Released
Low
Unassigned

Bug Description

Binary package hint: ekg

Please sync ekg (1:1.7~rc2-2) from Debian unstable (main).

The Ubuntu package has no changes.

The package builds cleanly in a feisty pbuilder.

Changelog:

ekg (1:1.7~rc2-2) unstable; urgency=high

  * Security upload, for sid and etch
  * Patched three medium severity security issues in src/events.c:
    - CVE-2007-1663 A memory leak in handling image messages, which may cause
      memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
      a hostile GG user.
    - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
      pointer dereference resulting in a DoS (ekg program crash). Exploitable
      by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
      server.
    - CVE-2007-1665 potential memory exhaust in token OCR function, which may
      cause memory exhaustion resulting in a DoS (ekg program crash).
      Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
      hostile GG server.

 -- Marcin Owsiany <email address hidden> Mon, 26 Mar 2007 18:53:19 +0100

Kees Cook (kees)
Changed in ekg:
status: Unconfirmed → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

This needs a full update breezy through feisty. Debian's update appears to only be the security updates.

Changed in ekg:
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → In Progress
importance: Undecided → Low
importance: Undecided → Low
status: Unconfirmed → In Progress
assignee: nobody → keescook
Revision history for this message
Sebastien Bacher (seb128) wrote :

[Updating] ekg (1:1.7~rc2-1build1 [Ubuntu] < 1:1.7~rc2-2 [Debian])
 * Trying to add ekg...
  - <ekg_1.7~rc2-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2-2.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2.orig.tar.gz: already in distro - downloading from librarian>
I: ekg [main] -> ekg_1:1.7~rc2-1build1 [universe].
I: ekg [main] -> libgadu-dev_1:1.7~rc2-1build1 [main].
I: ekg [main] -> libgadu3_1:1.7~rc2-1build1 [main].

Changed in ekg:
status: Confirmed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Sorry, we cannot sync to stable releases, so I unsubscribe ubuntu-archive and change the bug title. This needs to be handled with normal -security uploads and backported patches.

Revision history for this message
Marco Rodrigues (gothicx) wrote :

Breezy support is over.. Today it's Breezy End Of Life!

Changed in ekg:
status: In Progress → Rejected
Revision history for this message
Kees Cook (kees) wrote :

Turns out that Dapper and Edgy are not vulnerable.

Changed in ekg:
status: In Progress → Rejected
status: In Progress → Rejected
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.