Ubuntu
plib package

CVE-2011-4620: Buffer overflow

Bug #946703 reported by Julian Taylor
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
plib (Debian)
Fix Released
Unknown
plib (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

Imported from Debian bug http://bugs.debian.org/654785:

Source: plib
Severity: grave
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620
for references.

Cheers,
        Moritz

CVE References

Julian Taylor (jtaylor)
Changed in plib (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in plib (Ubuntu Lucid):
status: New → Confirmed
Changed in plib (Ubuntu Maverick):
status: New → Confirmed
Changed in plib (Ubuntu Natty):
status: New → Confirmed
Changed in plib (Ubuntu Oneiric):
status: New → Confirmed
Jamie Strandboge (jdstrand)
security vulnerability: no → yes
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Julian - Thanks for the fixes!

Since Debian has released an update for this issue and we were previously in sync with the Debian package, it is best if we do a fake sync. This allows us to do future fake syncs if another security update of plib is requred.

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Syncs

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I wasn't very clear in my last comment and wanted to make it clear that I'm currently doing the fake sync. I'm waiting on one last architecture to build and then I'll publish the updates.

Revision history for this message
Julian Taylor (jtaylor) wrote :

thanks, I wasn't aware syncing was an option.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

plib (1.8.5-5+squeeze1build0.11.10.1) oneiric-security; urgency=low

  * fake sync from Debian

plib (1.8.5-5+squeeze1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Use vsnprintf to fix buffer overflow CVE-2011-4620 (Closes: #654785).
 -- Tyler Hicks <email address hidden> Wed, 07 Mar 2012 14:38:31 -0600

Changed in plib (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

plib (1.8.5-5+squeeze1build0.11.04.1) natty-security; urgency=low

  * fake sync from Debian

plib (1.8.5-5+squeeze1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Use vsnprintf to fix buffer overflow CVE-2011-4620 (Closes: #654785).
 -- Tyler Hicks <email address hidden> Wed, 07 Mar 2012 14:18:41 -0600

Changed in plib (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

plib (1.8.5-5+squeeze1build0.10.10.1) maverick-security; urgency=low

  * fake sync from Debian

plib (1.8.5-5+squeeze1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Use vsnprintf to fix buffer overflow CVE-2011-4620 (Closes: #654785).
 -- Tyler Hicks <email address hidden> Wed, 07 Mar 2012 14:11:19 -0600

Changed in plib (Ubuntu Maverick):
status: Confirmed → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

plib (1.8.5-5+squeeze1build0.10.04.1) lucid-security; urgency=low

  * fake sync from Debian

plib (1.8.5-5+squeeze1) stable-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Use vsnprintf to fix buffer overflow CVE-2011-4620 (Closes: #654785).
 -- Tyler Hicks <email address hidden> Wed, 07 Mar 2012 14:07:04 -0600

Changed in plib (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
dino99 (9d9) wrote :

what about Precise ?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Precise is already patched. It was fixed in Debian with version 1.8.5-5.1. Precise is currently at 1.8.5-5.2.

Bug Watch Updater (bug-watch-updater)
Changed in plib (Debian):
importance: Undecided → Unknown
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.