Comment 12 for bug 7373

Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 01:24:25 -0800
From: Matt Zimmerman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2003-0848: heap overflow in slocate

Package: slocate
Version: 2.7-2
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0848
http://www.ebitech.sk/patrik/SA/SA-20031006.txt
http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt

The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable. However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed. Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made. So, I currently have little confidence that this bug is actually
fixed in 2.7. Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.

Any additional information or assistance that you can provide would be
appreciated. See:

http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-bug-security

for some guidelines.

-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages slocate depends on:
ii adduser 3.51 Add and remove users and groups
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an

-- no debconf information

--
 - mdz