Andrew V. Samoilov has noticed that several bugfixes which were applied to the source by upstream developers of mc, the midnight commander, a file browser and manager, were not backported to the current version of mc that Debian ships in their stable release. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities: * CAN-2004-1004 Multiple format string vulnerabilities * CAN-2004-1005 Multiple buffer overflows * CAN-2004-1009 One infinite loop vulnerability * CAN-2004-1090 Denial of service via corrupted section header * CAN-2004-1091 Denial of service via null dereference * CAN-2004-1092 Freeing unallocated memory * CAN-2004-1093 Denial of service via use of already freed memory * CAN-2004-1174 Denial of service via manipulating non-existing file handles * CAN-2004-1175 Unintended program execution via insecure filename quoting * CAN-2004-1176 Denial of service via a buffer underflow
Heinrich please verify and advise.
lanius: if you think you won't have time for such a large-scale patch, should we mask mc ? Or do you think you can find another maintainer/herd to help you ?
I had to apply parts of/the complete patches of: CAN-2004-1004 CAN-2004-1005 CAN-2004-1092 CAN-2004-1176 mc-4.6.0-r13 marked: amd64,x86 mc-4.6.0-r13 missing keywords: ~alpha ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc
Thx Heinrich. Arches please test and mark stable.
Stable on ppc.
stable on ppc64
Stable on alpha.
Stable on SPARC.
lanius: this wasn't keyworded x86 and amd64.
sorry, now it is
Thx everyone GLSA 200502-24 mips please remember to mark stable.
Stable on mips.