The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable. However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed. Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made. So, I currently have little confidence that this bug is actually
fixed in 2.7. Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.
Any additional information or assistance that you can provide would be
appreciated. See:
-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages slocate depends on:
ii adduser 3.51 Add and remove users and groups
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 01:24:25 -0800
From: Matt Zimmerman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2003-0848: heap overflow in slocate
Package: slocate
Version: 2.7-2
Severity: grave
Tags: security
http:// cve.mitre. org/cgi- bin/cvename. cgi?name= CAN-2003- 0848 www.ebitech. sk/patrik/ SA/SA-20031006. txt www.ebitech. sk/patrik/ SA/SA-20031006- A.txt
http://
http://
The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable. However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed. Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made. So, I currently have little confidence that this bug is actually
fixed in 2.7. Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.
Any additional information or assistance that you can provide would be
appreciated. See:
http:// www.debian. org/doc/ developers- reference/ ch-pkgs. en.html# s-bug-security
for some guidelines.
-- System Information: deb5-evms2. 1.1-skas3- 1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages slocate depends on:
ii adduser 3.51 Add and remove users and groups
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
-- no debconf information
--
- mdz