libxpm4: new buffer overflow security hole (CAN-2005-0605)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libxpm (Debian) |
Fix Released
|
Unknown
|
|||
libxpm (Ubuntu) |
Fix Released
|
High
|
Daniel Stone |
Bug Description
Automatically imported from Debian bug report #298939 http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #1 |
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Thu, 10 Mar 2005 14:01:37 -0500
From: Branden Robinson <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libxpm4: new buffer overflow security hole (CAN-2005-0605)
Package: libxpm4
Version: 4.3.0.dfsg.1-12
Severity: grave
Tags: security, upstream, fixed-upstream, patch
CAN-2005-0605 indicates that "scan.c for LibXPM may allow attackers to
execute arbitrary code via a negative bitmap_unit value that leads to a
buffer overflow."
Patch is here:
https:/
Description is here:
https:/
Gentoo issued an advisory about this on 4 March.
Ubuntu issued an advisory about this on 7 March.
I learned about this from Linux Weekly News.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-powerpc-smp
Locale: LANG=C, LC_CTYPE=
Versions of packages libxpm4 depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
-- no debconf information
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Daniel Stone (daniels) wrote : | #3 |
'Ubuntu issued an advisory about this on 7 March.'
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #4 |
(In reply to comment #2)
> 'Ubuntu issued an advisory about this on 7 March.'
Well, this advisory fixed lesstif (which also contains xpm code). X in Warty and
Hoary is still vulnerable.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#5 |
tag 298939 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Mar 2005 16:34:21 -0500
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.1
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 298939
Changes:
lesstif1-1 (1:0.93.94-11.1) unstable; urgency=HIGH
.
* NMU
* Apply fix for newest libXpm buffer overflows in lesstif1, involving a
negative bitmap_unit value. Fixed both lesstif1 and lesstif2.
Closes: #298939 (CAN-2005-0605)
Files:
a422c21d24213b
411faaae59989c
4ebc9aba7278d1
316c7354bcda42
46d7302f480f98
dea270bc7f7b3c
d582252380bc2c
e789bd635bf66b
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCMPcK2tp
rp1259h6+
=HdVa
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #6 |
Message-Id: <email address hidden>
Date: Thu, 10 Mar 2005 21:17:04 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Sam Hocevar (Debian packages) <email address hidden>
Subject: Fixed in NMU of lesstif1-1 1:0.93.94-11.1
tag 298939 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Mar 2005 16:34:21 -0500
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.1
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 298939
Changes:
lesstif1-1 (1:0.93.94-11.1) unstable; urgency=HIGH
.
* NMU
* Apply fix for newest libXpm buffer overflows in lesstif1, involving a
negative bitmap_unit value. Fixed both lesstif1 and lesstif2.
Closes: #298939 (CAN-2005-0605)
Files:
a422c21d24213b
411faaae59989c
4ebc9aba7278d1
316c7354bcda42
46d7302f480f98
dea270bc7f7b3c
d582252380bc2c
e789bd635bf66b
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCMPcK2tp
rp1259h6+
=HdVa
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#7 |
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary code
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http://
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http://
--
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 03:35:32 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
--ONvqYzh+7ST5RsLk
Content-Type: multipart/mixed; boundary=
Content-
--0XMZdl/q8hSSmFeD
Content-Type: text/plain; charset=us-ascii
Content-
Content-
The following URL contains source and binary packages for powerpc resolving
CAN-2005-0605[1], which is described as:
The XPM library's scan.c file may allow attackers to execute arbitrary co=
de
by crafting a malicious XPM image file containing a negative bitmap_unit
value that provokes a buffer overflow.
http://
I'm attaching a GPG-signed file, MD5SUMS.txt, that you can use to verify
the download.
This package makes two changes:
1) It applies the purported fix for CAN-2005-0605. I know of no exploit
for this vulnerability, so I was unable to test this.
2) It fixes the regression in XPM file-writing introduced by the fix for
CAN-2004-0914 (in -16woody5). I confirmed that saving XPM files in a
woody environment with -16woody5 with the GIMP didn't work, and that
upgrading to -16woody6 restored the functionality.
Please also find at the above URL:
* my package build log, xfree86_
clean, up-to-date woody chroot
* xfree86_
installing and purging these packages in a woody chroot
* xfree86_
upgrading these packages from -16woody5 and downgrading them back to
-16woody5 in a woody chroot
* test-x11-packages, the shell script I used to automate the above QA tests
Please let me know if you require anything else regarding this
vulnerability.
[1] http://
--=20
G. Branden Robinson | Somewhere, there is a .sig so funny
Debian GNU/Linux | that reading it will cause an
<email address hidden> | aneurysm. This is not that .sig.
http://
--0XMZdl/q8hSSmFeD
Content-Type: text/plain; charset=us-ascii
Content-
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
dc1bbb9c290e460
7eaf6c70e8487b4
d027aec099ddc53
7426a90be3e1ab4
2c4328c9b53c408
57afc54ca1cb13c
d212615fe6cef3b
e71a3371682dc10
ae63ca1629e7fbd
e4e0b7bdb045587
a4ca4226ecaf5...
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#9 |
Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolving
> CAN-2005-0605[1], which is described as:
>
> The XPM library's scan.c file may allow attackers to execute arbitrary code
> by crafting a malicious XPM image file containing a negative bitmap_unit
> value that provokes a buffer overflow.
Looks fine, pushed into the buildd network. Thanks a lot!
Regards,
Joey
--
A mathematician is a machine for converting coffee into theorems. Paul Erdös
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 16:44:07 +0100
From: Martin Schulze <email address hidden>
To: Branden Robinson <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resol=
ving
> CAN-2005-0605[1], which is described as:
>=20
> The XPM library's scan.c file may allow attackers to execute arbitrar=
y code
> by crafting a malicious XPM image file containing a negative bitmap_u=
nit
> value that provokes a buffer overflow.
Looks fine, pushed into the buildd network. Thanks a lot!
Regards,
Joey
--=20
A mathematician is a machine for converting coffee into theorems. Paul =
Erd=F6s
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#11 |
clone 298939 -1
retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
reassign -1 lesstif1-1
# I don't actually know if it's fixed upstream yet in LessTif, but I'm
# guessing it's not.
tag -1 - fixed-upstream
# libxpm4 is not fixed until the security buildds' packages are uploaded.
tag 298939 - fixed
thanks
Hi Joey,
Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
"Closes:", which marked as fixed the bug I filed against libxpm4, which is
not part of lesstif1-1 and is not yet fixed.
I am assuming your closing of #298939 is in error (since it's not
accurate), and cloning a copy of it for CAN-2005-0605's affect of
lesstif1-1.
--
G. Branden Robinson |
Debian GNU/Linux | If ignorance is bliss,
<email address hidden> | is omniscience hell?
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 15:37:52 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: #298939 should not have been marked fixed by lesstif1-1 NMU
--FeAIMMcddNRN4P4/
Content-Type: text/plain; charset=us-ascii
Content-
Content-
clone 298939 -1
retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-=
2005-0605
reassign -1 lesstif1-1
# I don't actually know if it's fixed upstream yet in LessTif, but I'm
# guessing it's not.
tag -1 - fixed-upstream
# libxpm4 is not fixed until the security buildds' packages are uploaded.
tag 298939 - fixed
thanks
Hi Joey,
Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
"Closes:", which marked as fixed the bug I filed against libxpm4, which is
not part of lesstif1-1 and is not yet fixed.
I am assuming your closing of #298939 is in error (since it's not
accurate), and cloning a copy of it for CAN-2005-0605's affect of
lesstif1-1.
--=20
G. Branden Robinson |
Debian GNU/Linux | If ignorance is bliss,
<email address hidden> | is omniscience hell?
http://
--FeAIMMcddNRN4P4/
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI
dXoAoI3eOuL3GbL
=HlLc
-----END PGP SIGNATURE-----
--FeAIMMcddNRN4
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#13 |
tag 298183 fixed
merge 298183 299236
thanks
Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CAN-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
>
> Hi Joey,
>
> Did you mean to only reference #298939 in your NMU of lesstif1-1? You said
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
>
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.
Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.
--
see shy jo
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 17:53:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: #298939 should not have been marked fixed by lesstif1-1 NMU
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 298183 fixed
merge 298183 299236
thanks
Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CA=
N-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
>=20
> Hi Joey,
>=20
> Did you mean to only reference #298939 in your NMU of lesstif1-1? You sa=
id
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
>=20
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.
Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.
--=20
see shy jo
--d6Gm4EdcadzBjdND
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCM3Lvd8H
Y7oGURkfv29QQqc
=GuJw
-----END PGP SIGNATURE-----
--d6Gm4EdcadzBj
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#15 |
clone 298939 -1
reassign -1 libxpm4
retitle 298939 xlibs: new buffer overflow security hole (CAN-2005-0605)
reassign 298939 xlibs
# Per the bug logs, the Debian Security Team has xfree86 4.1.0-16woody6,
# which fixes this. It's also fixed in the X Strike Force Subversion
# repository for XFree86, in branches/
tag 298939 + pending woody
thanks
--
G. Branden Robinson | Any man who does not realize that
Debian GNU/Linux | he is half an animal is only half a
<email address hidden> | man.
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Sun, 13 Mar 2005 01:17:38 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Subject: cloning another copy of #298939 for xfree86 4.3
--v541l457l4DThMFo
Content-Type: text/plain; charset=us-ascii
Content-
Content-
clone 298939 -1
reassign -1 libxpm4
retitle 298939 xlibs: new buffer overflow security hole (CAN-2005-0605)
reassign 298939 xlibs
# Per the bug logs, the Debian Security Team has xfree86 4.1.0-16woody6,
# which fixes this. It's also fixed in the X Strike Force Subversion
# repository for XFree86, in branches/
tag 298939 + pending woody
thanks
--=20
G. Branden Robinson | Any man who does not realize that
Debian GNU/Linux | he is half an animal is only half a
<email address hidden> | man.
http://
--v541l457l4DThMFo
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkI
U04AmwXen7HYKqf
=0XaN
-----END PGP SIGNATURE-----
--v541l457l4DTh
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Daniel Stone (daniels) wrote : | #17 |
xorg (6.8.2-4) hoary; urgency=low
* Fix additional security vulnerability in Xpm's bitmap_unit checking
(closes: Ubuntu#7433, fdo#1920).
* Remove mac-usb- prefix from d-i keyboard mappings before we run our
detection routine (partially mitigates Ubuntu#7138).
* Move mkfontscale from xbase-clients to xutils, as it does not depend on
client-side X libraries, and mkfontdir from xutils was entirely reliant
on mkfontscale (closes: Ubuntu#7391).
* Add Swiss keymaps, thanks to Sylvain Pasche (closes: Ubuntu#7482).
* Update i810 driver from HEAD, which now finally has support for validating
modes against DDC ranges, and supports panels on pipe A (closes:
Ubuntu#5864, Ubuntu#6973).
-- Daniel Stone <email address hidden> Fri, 11 Mar 2005 12:53:55 +1100
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#18 |
On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolving
> CAN-2005-0605[1], which is described as:
>
> The XPM library's scan.c file may allow attackers to execute arbitrary code
> by crafting a malicious XPM image file containing a negative bitmap_unit
> value that provokes a buffer overflow.
>
> http://
Can someone tell me what the status of this is?
--
G. Branden Robinson | A celibate clergy is an especially
Free Software Developer | good idea, because it tends to
<email address hidden> | suppress any hereditary propensity
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#19 |
Branden Robinson wrote:
> On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> > The following URL contains source and binary packages for powerpc resolving
> > CAN-2005-0605[1], which is described as:
> >
> > The XPM library's scan.c file may allow attackers to execute arbitrary code
> > by crafting a malicious XPM image file containing a negative bitmap_unit
> > value that provokes a buffer overflow.
> >
> > http://
>
> Can someone tell me what the status of this is?
Sure. We don't have an ARM buildd for *stable* anymore.
Hence, the 11th architecure is missing.
Regards,
Joey
--
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Wed, 20 Apr 2005 23:28:34 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
--Cqq5NadOW2RfLMJ/
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> The following URL contains source and binary packages for powerpc resolvi=
ng
> CAN-2005-0605[1], which is described as:
>=20
> The XPM library's scan.c file may allow attackers to execute arbitrary =
code
> by crafting a malicious XPM image file containing a negative bitmap_unit
> value that provokes a buffer overflow.
>=20
> http://
Can someone tell me what the status of this is?
--=20
G. Branden Robinson | A celibate clergy is an especially
Free Software Developer | good idea, because it tends to
<email address hidden> | suppress any hereditary propensity
http://
--Cqq5NadOW2RfLMJ/
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iEYEARECAAYFAkJ
+Z4AnAmPW5gBIc6
=nEzs
-----END PGP SIGNATURE-----
--Cqq5NadOW2RfL
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 08:15:40 +0200
From: Martin Schulze <email address hidden>
To: Branden Robinson <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: xfree86 4.1.0-16woody6 available to fix CAN-2005-0605
Branden Robinson wrote:
> On Fri, Mar 11, 2005 at 03:35:32AM -0500, Branden Robinson wrote:
> > The following URL contains source and binary packages for powerpc resolving
> > CAN-2005-0605[1], which is described as:
> >
> > The XPM library's scan.c file may allow attackers to execute arbitrary code
> > by crafting a malicious XPM image file containing a negative bitmap_unit
> > value that provokes a buffer overflow.
> >
> > http://
>
> Can someone tell me what the status of this is?
Sure. We don't have an ARM buildd for *stable* anymore.
Hence, the 11th architecure is missing.
Regards,
Joey
--
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#22 |
Hi Joey,
xfree86's fix for CAN-2005-0609 has not yet been uploaded to
testing/unstable. I expect to make an upload soon, however; the packages
are currently in preparation, and you can view the current status of the
SVN trunk at:
http://
specifically:
http://
Please go ahead and do the advisory for woody's xfree86 once you're ready.
I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
reason to expect that release to not fix CAN-2005-0609.
--
G. Branden Robinson | Suffer before God and ye shall be
Debian GNU/Linux | redeemed. God loves us, so He
<email address hidden> | makes us suffer Christianity.
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#23 |
Branden Robinson wrote:
> Hi Joey,
>
> xfree86's fix for CAN-2005-0609 has not yet been uploaded to
> testing/unstable. I expect to make an upload soon, however; the packages
> are currently in preparation, and you can view the current status of the
> SVN trunk at:
>
> http://
>
> specifically:
>
> http://
>
> Please go ahead and do the advisory for woody's xfree86 once you're ready.
> I've been working with vorlon regarding 4.3.0.dfsg.1-13, and there's no
> reason to expect that release to not fix CAN-2005-0609.
Understood. Do you want me to write that it'll be fixed in 4.3.0.dfsg.1-13
or should I write that it will be fixed soon?
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#24 |
Joey,
You can write in the xfree86 DSA for CAN-2005-0609 that the sarge/sid
vulnerability will be fixed by xfree86 4.3.0.dfsg.1-13, which is currently
in preparation.
--
G. Branden Robinson | Never underestimate the power of
Debian GNU/Linux | human stupidity.
<email address hidden> | -- Robert Heinlein
http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#25 |
Source: xfree86
Source-Version: 4.1.0-16woody6
We believe that the bug you reported is fixed in the latest version of
xfree86, which is due to be installed in the Debian FTP archive:
lbxproxy_
to pool/main/
libdps-
to pool/main/
libdps1-
to pool/main/
libdps1_
to pool/main/
libxaw6-
to pool/main/
libxaw6-
to pool/main/
libxaw6_
to pool/main/
libxaw7-
to pool/main/
libxaw7-
to pool/main/
libxaw7_
to pool/main/
proxymngr_
to pool/main/
twm_4.1.
to pool/main/
x-window-
to pool/main/
x-window-
to pool/main/
xbase-clients_
to pool/main/
xdm_4.1.
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfonts-
to pool/main/
xfree86-
to pool/main/
xfree86_
to pool/main/
xfree86_
to pool/main/
xfs_4.1.
to pool/main/
xfwp_4.
to pool/main/
xlib6g-
Changed in libxpm: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #298939 http:// bugs.debian. org/298939