Bug#598418: marked as done (libmagics++-dev: CVE-2010-3393: insecure library loading)

Debian Bug Tracking System Wed, 29 Sep 2010 09:18:25 -0700

Your message dated Wed, 29 Sep 2010 16:17:22 +0000
with message-id <[email protected]>
and subject line Bug#598418: fixed in magics++ 2.10.0.dfsg-5
has caused the Debian Bug report #598418,
regarding libmagics++-dev: CVE-2010-3393: insecure library loading
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
598418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598418
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libmagics++-dev
Version: 2.10.0.dfsg-4
Severity: important
Tags: security
User: [email protected]
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/magics-config line 105:
                echo "   export LD_LIBRARY_PATH=${prefix}/lib:\$LD_LIBRARY_PATH"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

While magics-config itself is not vulnerable, the generated code is.

This vulnerability has been assigned the CVE id CVE-2010-3393. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3393
[1] http://security-tracker.debian.org/tracker/CVE-2010-3393

Sincerely,
Raphael Geissert

--- End Message ---

--- Begin Message ---

Source: magics++
Source-Version: 2.10.0.dfsg-5

We believe that the bug you reported is fixed in the latest version of
magics++, which is due to be installed in the Debian FTP archive:

libmagics++-data_2.10.0.dfsg-5_all.deb
  to main/m/magics++/libmagics++-data_2.10.0.dfsg-5_all.deb
libmagics++-dev_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/libmagics++-dev_2.10.0.dfsg-5_i386.deb
libmagplus3_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/libmagplus3_2.10.0.dfsg-5_i386.deb
magics++_2.10.0.dfsg-5.debian.tar.gz
  to main/m/magics++/magics++_2.10.0.dfsg-5.debian.tar.gz
magics++_2.10.0.dfsg-5.dsc
  to main/m/magics++/magics++_2.10.0.dfsg-5.dsc
magics++_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/magics++_2.10.0.dfsg-5_i386.deb
python-magics++_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/python-magics++_2.10.0.dfsg-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <[email protected]> (supplier of updated magics++ package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 12:43:09 +0100
Source: magics++
Binary: libmagplus3 libmagics++-dev magics++ python-magics++ libmagics++-data
Architecture: source all i386
Version: 2.10.0.dfsg-5
Distribution: unstable
Urgency: low
Maintainer: Alastair McKinstry <[email protected]>
Changed-By: Alastair McKinstry <[email protected]>
Description: 
 libmagics++-data - Data files needed for magics++ library
 libmagics++-dev - Development files for ECMWF  plotting software MAGICS++
 libmagplus3 - ECMWF meteorological plotting software library
 magics++   - Executables for the magics++ library
 python-magics++ - python support for Magics++
Closes: 598418
Changes: 
 magics++ (2.10.0.dfsg-5) unstable; urgency=low
 .
   * CVE-2010-3393: Fix LD_LIBRARY_PATH edit. Closes: #598418.
Checksums-Sha1: 
 b0e25ba2131f6a02a6846f9bcd1cc54ac3a6d2b5 1488 magics++_2.10.0.dfsg-5.dsc
 17b714a685541ed898f39afdb9377c8a953e1473 904831 
magics++_2.10.0.dfsg-5.debian.tar.gz
 4dcf66c01d8dc0415f30719e334ba2f66539ccdf 4066910 
libmagics++-data_2.10.0.dfsg-5_all.deb
 84322918720a69eaf860ef9f9e6819fa7e49f266 2684062 
libmagplus3_2.10.0.dfsg-5_i386.deb
 e3072055479bc07f52714b4f99adaaab6af3846f 7574542 
libmagics++-dev_2.10.0.dfsg-5_i386.deb
 863a7b3478b2f92a6cbd38df099fe3cf56724ae5 18722 magics++_2.10.0.dfsg-5_i386.deb
 ddbb310b96e8518ddecbbf0f6d2463b7e7104d50 38362 
python-magics++_2.10.0.dfsg-5_i386.deb
Checksums-Sha256: 
 98d43d0e56fa1c40e5b41110650929b7344ab65d078dccf65e844e926e090b71 1488 
magics++_2.10.0.dfsg-5.dsc
 3015019c1e8d4aeaecb2053d36d6b923e04e3237793533ba974fb1ccbf58081d 904831 
magics++_2.10.0.dfsg-5.debian.tar.gz
 9da346e276e507db35bbb6f1f30a97266c2b0cd8a4dae9add69dc31c51a8b05b 4066910 
libmagics++-data_2.10.0.dfsg-5_all.deb
 c15da993b037905196543f04422ed8140162a2fd75000a7e08bfd511d3e61493 2684062 
libmagplus3_2.10.0.dfsg-5_i386.deb
 17b0c138a17e61c42ee366cedc3d442503f9a47277c93c33e89af022731bcb68 7574542 
libmagics++-dev_2.10.0.dfsg-5_i386.deb
 f9754426e263374c78a3df24237da1e5c58bcd30657f90a3297970a9b3d17f81 18722 
magics++_2.10.0.dfsg-5_i386.deb
 4ffbde0711482b9f07bf73c3d9c1b8e89e5f9ea766fe9de606fdafe216aa6974 38362 
python-magics++_2.10.0.dfsg-5_i386.deb
Files: 
 16c742acc09eec579a57bc7306348054 1488 utils optional magics++_2.10.0.dfsg-5.dsc
 a9a980368dbadf7a31657ebd7645410a 904831 utils optional 
magics++_2.10.0.dfsg-5.debian.tar.gz
 220438a6837a6deac64350ceccd117fa 4066910 utils optional 
libmagics++-data_2.10.0.dfsg-5_all.deb
 1f9db235fa1a1d0958602541f3416802 2684062 libs optional 
libmagplus3_2.10.0.dfsg-5_i386.deb
 d0798050bccf0c502cebaf2ee9c7ba49 7574542 libdevel optional 
libmagics++-dev_2.10.0.dfsg-5_i386.deb
 40a0ace35f691ce48a1be6abccd8a6c7 18722 utils optional 
magics++_2.10.0.dfsg-5_i386.deb
 83ce25d23034dbaf5620588c15cb206e 38362 python optional 
python-magics++_2.10.0.dfsg-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyfPrcACgkQQTK/kCo4XFexUwCgt9e/yza0PQD15PMwsrM1QqT8
9IIAnic430Oje2Oa0RxMs/ZpVIo2Fmyn
=KHIR
-----END PGP SIGNATURE-----

--- End Message ---

Bug#598418: marked as done (libmagics++-dev: CVE-2010-3393: insecure library loading)

Reply via email to