several vulnerabilities

Bug #96712 reported by Michael Bienia on 2007-03-26
254
Affects Status Importance Assigned to Milestone
ekg (Ubuntu)
Low
Unassigned
Breezy
Low
Kees Cook
Dapper
Low
Kees Cook
Edgy
Low
Kees Cook
Feisty
Low
Unassigned

Bug Description

Binary package hint: ekg

Please sync ekg (1:1.7~rc2-2) from Debian unstable (main).

The Ubuntu package has no changes.

The package builds cleanly in a feisty pbuilder.

Changelog:

ekg (1:1.7~rc2-2) unstable; urgency=high

  * Security upload, for sid and etch
  * Patched three medium severity security issues in src/events.c:
    - CVE-2007-1663 A memory leak in handling image messages, which may cause
      memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
      a hostile GG user.
    - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
      pointer dereference resulting in a DoS (ekg program crash). Exploitable
      by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
      server.
    - CVE-2007-1665 potential memory exhaust in token OCR function, which may
      cause memory exhaustion resulting in a DoS (ekg program crash).
      Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
      hostile GG server.

 -- Marcin Owsiany <email address hidden> Mon, 26 Mar 2007 18:53:19 +0100

Kees Cook (kees) on 2007-03-26
Changed in ekg:
status: Unconfirmed → Confirmed
Kees Cook (kees) wrote :

This needs a full update breezy through feisty. Debian's update appears to only be the security updates.

Changed in ekg:
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → In Progress
assignee: nobody → keescook
importance: Undecided → Low
status: Unconfirmed → In Progress
importance: Undecided → Low
importance: Undecided → Low
status: Unconfirmed → In Progress
assignee: nobody → keescook
Sebastien Bacher (seb128) wrote :

[Updating] ekg (1:1.7~rc2-1build1 [Ubuntu] < 1:1.7~rc2-2 [Debian])
 * Trying to add ekg...
  - <ekg_1.7~rc2-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2-2.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <ekg_1.7~rc2.orig.tar.gz: already in distro - downloading from librarian>
I: ekg [main] -> ekg_1:1.7~rc2-1build1 [universe].
I: ekg [main] -> libgadu-dev_1:1.7~rc2-1build1 [main].
I: ekg [main] -> libgadu3_1:1.7~rc2-1build1 [main].

Changed in ekg:
status: Confirmed → Fix Released
Martin Pitt (pitti) wrote :

Sorry, we cannot sync to stable releases, so I unsubscribe ubuntu-archive and change the bug title. This needs to be handled with normal -security uploads and backported patches.

Marco Rodrigues (gothicx) wrote :

Breezy support is over.. Today it's Breezy End Of Life!

Changed in ekg:
status: In Progress → Rejected
Kees Cook (kees) wrote :

Turns out that Dapper and Edgy are not vulnerable.

Changed in ekg:
status: In Progress → Rejected
status: In Progress → Rejected
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers