Your message dated Tue, 28 Sep 2010 06:47:32 +0000
with message-id <[email protected]>
and subject line Bug#598287: fixed in dropbox 0.8.107-1
has caused the Debian Bug report #598287,
regarding dropbox: CVE-2010-3354: insecure library loading
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
598287: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598287
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dropbox
Version: 0.7.110-1+b2
Severity: important
Tags: security
User: [email protected]
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/lib/dropbox/dropboxd line 9:
LD_LIBRARY_PATH=$PAR:$LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3354. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
I've already tried to contact upstream via their tickets system,
without response so far.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3354
[1] http://security-tracker.debian.org/tracker/CVE-2010-3354
Sincerely,
Raphael Geissert
--- End Message ---
--- Begin Message ---
Source: dropbox
Source-Version: 0.8.107-1
We believe that the bug you reported is fixed in the latest version of
dropbox, which is due to be installed in the Debian FTP archive:
dropbox_0.8.107-1.debian.tar.gz
to non-free/d/dropbox/dropbox_0.8.107-1.debian.tar.gz
dropbox_0.8.107-1.dsc
to non-free/d/dropbox/dropbox_0.8.107-1.dsc
dropbox_0.8.107-1_amd64.deb
to non-free/d/dropbox/dropbox_0.8.107-1_amd64.deb
dropbox_0.8.107.orig-amd64.tar.bz2
to non-free/d/dropbox/dropbox_0.8.107.orig-amd64.tar.bz2
dropbox_0.8.107.orig-i386.tar.bz2
to non-free/d/dropbox/dropbox_0.8.107.orig-i386.tar.bz2
dropbox_0.8.107.orig.tar.bz2
to non-free/d/dropbox/dropbox_0.8.107.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ivan Borzenkov <[email protected]> (supplier of updated dropbox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sun, 19 Sep 2010 01:48:36 +0400
Source: dropbox
Binary: dropbox
Architecture: source amd64
Version: 0.8.107-1
Distribution: unstable
Urgency: low
Maintainer: Ivan Borzenkov <[email protected]>
Changed-By: Ivan Borzenkov <[email protected]>
Description:
dropbox - secure backup, sync and sharing util
Closes: 592961 598287
Changes:
dropbox (0.8.107-1) unstable; urgency=low
.
* New upstream release
0.8.107:
- Fix issue when deleting files under short paths on the web interface.
- Fix possible infinite loop when Moving Dropbox.
- Support Debian style alternatives for web browser.
- Other smaller fixes
.
0.8.106:
- Better syslog for certain errors on Linux and OSX.
- Small UI fixes.
- Other smaller fixes
.
0.8.105:
- Fix regression in 0.8.104 that would cause Dropbox to redownload blocks.
- Other smaller fixes
.
0.8.104:
- Fix rare hangs when Dropbox is syncing.
* does not crash after start (Closes: #592961)
* remove dropboxd (Closes: #598287)
Checksums-Sha1:
7ecc5d6418eb3da1a7dac2f0bbf73d19edf818a9 1715 dropbox_0.8.107-1.dsc
d0fdd0a6f94ee6ea2e14a6134e0aff6e1b245c40 14491007
dropbox_0.8.107.orig-amd64.tar.bz2
7a8bdcab939bd01e31c7c64b538dbcbb830270a9 13657093
dropbox_0.8.107.orig-i386.tar.bz2
778c617f5a93de6905189cbd02d1d2d24ae112dd 26926 dropbox_0.8.107.orig.tar.bz2
17fd8d4a7a133d031a1262dad9e61e3b58e4ccc4 8627 dropbox_0.8.107-1.debian.tar.gz
a2781f6607516ed9951ab50873683e54797c48ac 14861252 dropbox_0.8.107-1_amd64.deb
Checksums-Sha256:
4fea7876c87b7eec25a18b09abf7edb29e508fe4194e36dfc8e27f56bad3b351 1715
dropbox_0.8.107-1.dsc
624c5ea473653cd2053cc5c6ff6ab3ce53e17e3116877e8912659e1e7e3cd3bb 14491007
dropbox_0.8.107.orig-amd64.tar.bz2
38cd9438a25d4418f2adde7171a9bc0d1490979b83e2b5b7b2c30a6b4451d6ac 13657093
dropbox_0.8.107.orig-i386.tar.bz2
2ad465546af6f28e04e1ea415cbf1d46d013fba6d8b7e35eda3abe8bad5dc559 26926
dropbox_0.8.107.orig.tar.bz2
d794ccec330437f4d694d33e943de1d021cc14cedc4435d85e6130e2b6f47311 8627
dropbox_0.8.107-1.debian.tar.gz
89fddef789c7adbecc8e36889f6aa3b133c0732f5de8dd0bb5df6a659cfb8530 14861252
dropbox_0.8.107-1_amd64.deb
Files:
81f5c0bdf3e6d551cc7fcdf22ba6a37d 1715 non-free/net extra dropbox_0.8.107-1.dsc
08d27c0dd55c1780ea8967f2070cb247 14491007 non-free/net extra
dropbox_0.8.107.orig-amd64.tar.bz2
c88cbb79d1e7c06531442a8a34a1f048 13657093 non-free/net extra
dropbox_0.8.107.orig-i386.tar.bz2
ae7adb8529a4df2bb95002e7379490a3 26926 non-free/net extra
dropbox_0.8.107.orig.tar.bz2
dea510ce2a25f32f2ebed47897a0a179 8627 non-free/net extra
dropbox_0.8.107-1.debian.tar.gz
cfaaec90b52bed6fb2042b9ad58495ad 14861252 non-free/net extra
dropbox_0.8.107-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAkyhjBEACgkQq4wAz/jiZTfHJACdEAYcOMLmXZy0aPVKMpj7yghK
tjoAoKMVO1J46HcXoQtSeOB7teixoe7n
=kre9
-----END PGP SIGNATURE-----
--- End Message ---