Ubuntu
gtk+2.0 package

vulnerable to holes fixed by DSA-549-1

Bug #8129 reported by Debian Bug Importer
8
Affects Status Importance Assigned to Milestone
gtk+2.0 (Debian)
Fix Released
Unknown
gtk+2.0 (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #272166 http://bugs.debian.org/272166

See original description

CVE References

Revision history for this message
In , Sebastien Bacher (seb128) wrote : Re: Bug#272166: vulnerable to holes fixed by DSA-549-1

Le vendredi 17 septembre 2004 à 19:09 -0400, Joey Hess a écrit :
> Package: gtk+2.0
> Severity: grave
>
> For the record: This package is vulnerable to the security holes fixed
> in stable by DSA-549-1. The CAN numbers of these security holes are
> CAN-2004-0782 CAN-2004-0783 CAN-2004-0788.

Is there a problem with the package uploaded today ? If not the bug
should probably be tagged + sarge ...

 gtk+2.0 (2.4.9-2) unstable; urgency=high
 .
   * debian/patches/002_xpmico.patch:
     - fix CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm.
     - fix CAN-2004-0783 Stack-based overflow in xpm_extract_color.
     - fix CAN-2004-0788 ico loader integer overflow.

Thanks,

Sebastien Bacher

Revision history for this message
In , Joey Hess (joeyh) wrote :

Sebastien Bacher wrote:
> Is there a problem with the package uploaded today ? If not the bug
> should probably be tagged + sarge ...

I'm sorry that I missed that. I pinged Joey before sending the bug and
he said he'd talked to you but no fix had been uploaded yet. This bug
does not need to stay open to track the fix for sarge, though you may
want to add something to http://www.wolffelaar.nl/~sarge/

--
see shy jo

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #272166 http://bugs.debian.org/272166

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 17 Sep 2004 19:09:08 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: vulnerable to holes fixed by DSA-549-1

--SUOF0GtieIMvvwua
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: gtk+2.0
Severity: grave

For the record: This package is vulnerable to the security holes fixed
in stable by DSA-549-1. The CAN numbers of these security holes are
CAN-2004-0782 CAN-2004-0783 CAN-2004-0788.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US

--=20
see shy jo

--SUOF0GtieIMvvwua
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBS26Ud8HHehbQuO8RAgQeAKCAfCCCBXxeR6Vzgmoy3GmkyvsJNQCfW5AP
Rywuop+tU4565LrERw9tYrA=
=xT/N
-----END PGP SIGNATURE-----

--SUOF0GtieIMvvwua--

Revision history for this message
Sebastien Bacher (seb128) wrote :

already fixed in warty

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <1095463954.27651.17.camel@seb128>
Date: Sat, 18 Sep 2004 01:32:34 +0200
From: Sebastien Bacher <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#272166: vulnerable to holes fixed by DSA-549-1

Le vendredi 17 septembre 2004 =E0 19:09 -0400, Joey Hess a =E9crit :
> Package: gtk+2.0
> Severity: grave
>=20
> For the record: This package is vulnerable to the security holes fixed
> in stable by DSA-549-1. The CAN numbers of these security holes are
> CAN-2004-0782 CAN-2004-0783 CAN-2004-0788.

Is there a problem with the package uploaded today ? If not the bug
should probably be tagged + sarge ...

 gtk+2.0 (2.4.9-2) unstable; urgency=3Dhigh
 .
   * debian/patches/002_xpmico.patch:
     - fix CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm.
     - fix CAN-2004-0783 Stack-based overflow in xpm_extract_color.
     - fix CAN-2004-0788 ico loader integer overflow.

Thanks,

Sebastien Bacher

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 17 Sep 2004 19:49:09 -0400
From: Joey Hess <email address hidden>
To: Sebastien Bacher <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#272166: vulnerable to holes fixed by DSA-549-1

--2/5bycvrmDh4d1IB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Sebastien Bacher wrote:
> Is there a problem with the package uploaded today ? If not the bug
> should probably be tagged + sarge ...

I'm sorry that I missed that. I pinged Joey before sending the bug and
he said he'd talked to you but no fix had been uploaded yet. This bug
does not need to stay open to track the fix for sarge, though you may
want to add something to http://www.wolffelaar.nl/~sarge/

--=20
see shy jo

--2/5bycvrmDh4d1IB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBS3f1d8HHehbQuO8RAszmAJwMAXWWtmi6haj674jOZSg8uFiVqwCfb4Hq
NcyYpstwKWSa6R1RlDWovGQ=
=JBOt
-----END PGP SIGNATURE-----

--2/5bycvrmDh4d1IB--

Bug Watch Updater (bug-watch-updater)
Changed in gtk+2.0:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.