Ubuntu
ekg package

several vulnerabilities

Bug #96712 reported by Michael Bienia on 2007-03-26

254

Affects		Status	Importance	Assigned to	Milestone
	ekg (Ubuntu)	Fix Released	Low	Unassigned	Ubuntu ubuntu-7.04
	Breezy	Invalid	Low	Kees Cook
	Dapper	Invalid	Low	Kees Cook
	Edgy	Invalid	Low	Kees Cook
	Feisty	Fix Released	Low	Unassigned	Ubuntu ubuntu-7.04

Bug Description

Binary package hint: ekg

Please sync ekg (1:1.7~rc2-2) from Debian unstable (main).

The Ubuntu package has no changes.

The package builds cleanly in a feisty pbuilder.

Changelog:

ekg (1:1.7~rc2-2) unstable; urgency=high

  * Security upload, for sid and etch
  * Patched three medium severity security issues in src/events.c:
    - CVE-2007-1663 A memory leak in handling image messages, which may cause
      memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
      a hostile GG user.
    - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
      pointer dereference resulting in a DoS (ekg program crash). Exploitable
      by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
      server.
    - CVE-2007-1665 potential memory exhaust in token OCR function, which may
      cause memory exhaustion resulting in a DoS (ekg program crash).
      Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
      hostile GG server.

-- Marcin Owsiany <email address hidden> Mon, 26 Mar 2007 18:53:19 +0100

Kees Cook (kees) on 2007-03-26

Changed in ekg:
status:	Unconfirmed → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2007-03-27:

#1

This needs a full update breezy through feisty. Debian's update appears to only be the security updates.

Changed in ekg:
assignee:	nobody → keescook
importance:	Undecided → Low
status:	Unconfirmed → In Progress
assignee:	nobody → keescook
importance:	Undecided → Low
status:	Unconfirmed → In Progress
importance:	Undecided → Low
importance:	Undecided → Low
status:	Unconfirmed → In Progress
assignee:	nobody → keescook

Revision history for this message

Sebastien Bacher (seb128) wrote on 2007-03-28:

#2

[Updating] ekg (1:1.7~rc2-1build1 [Ubuntu] < 1:1.7~rc2-2 [Debian])
* Trying to add ekg...
  - <ekg_1.7~rc2-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2-2.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2.orig.tar.gz: already in distro - downloading from librarian>
I: ekg [main] -> ekg_1:1.7~rc2-1build1 [universe].
I: ekg [main] -> libgadu-dev_1:1.7~rc2-1build1 [main].
I: ekg [main] -> libgadu3_1:1.7~rc2-1build1 [main].

Changed in ekg:
status:	Confirmed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2007-03-30:

#3

Sorry, we cannot sync to stable releases, so I unsubscribe ubuntu-archive and change the bug title. This needs to be handled with normal -security uploads and backported patches.

Revision history for this message

Marco Rodrigues (gothicx) wrote on 2007-04-13:

#4

Breezy support is over.. Today it's Breezy End Of Life!

Changed in ekg:
status:	In Progress → Rejected

Revision history for this message

Kees Cook (kees) wrote on 2007-06-15:

#5

Turns out that Dapper and Edgy are not vulnerable.

Changed in ekg:
status:	In Progress → Rejected
status:	In Progress → Rejected

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.