Your message dated Sun, 03 Oct 2010 09:47:07 +0000
with message-id <[email protected]>
and subject line Bug#598297: fixed in mistelix 0.31-2
has caused the Debian Bug report #598297,
regarding mistelix: CVE-2010-3365: insecure library loading
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
598297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598297
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mistelix
Version: 0.31-1
Severity: grave
Tags: security
User: [email protected]
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/mistelix line 8:
export LD_LIBRARY_PATH=$libdir/mistelix/:$LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3365. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3365
[1] http://security-tracker.debian.org/tracker/CVE-2010-3365
Sincerely,
Raphael Geissert
--- End Message ---
--- Begin Message ---
Source: mistelix
Source-Version: 0.31-2
We believe that the bug you reported is fixed in the latest version of
mistelix, which is due to be installed in the Debian FTP archive:
mistelix_0.31-2.diff.gz
to main/m/mistelix/mistelix_0.31-2.diff.gz
mistelix_0.31-2.dsc
to main/m/mistelix/mistelix_0.31-2.dsc
mistelix_0.31-2_amd64.deb
to main/m/mistelix/mistelix_0.31-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Siegfried-Angel Gevatter Pujals <[email protected]> (supplier of updated
mistelix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 29 Sep 2010 12:58:25 +0200
Source: mistelix
Binary: mistelix
Architecture: source amd64
Version: 0.31-2
Distribution: unstable
Urgency: high
Maintainer: Siegfried-Angel Gevatter Pujals <[email protected]>
Changed-By: Siegfried-Angel Gevatter Pujals <[email protected]>
Description:
mistelix - DVD authoring and slideshow creation application
Closes: 598297
Changes:
mistelix (0.31-2) unstable; urgency=high
.
* Fix insecure LD_LIBRARY_PATH setting (Closes: #598297).
CVE-2010-3365.
Checksums-Sha1:
6677aa6a950442fa9b3517de8175178d11945b80 1843 mistelix_0.31-2.dsc
54790dcbefb5332b167a157aabac3de186424463 5918 mistelix_0.31-2.diff.gz
36a5a0e64342890ef29cf6b97a1357d34e601815 1212590 mistelix_0.31-2_amd64.deb
Checksums-Sha256:
0e2966830ccad2bc7cf858e81abb7cfb7e3c17ad74f02c2f11b1195587628798 1843
mistelix_0.31-2.dsc
e0742b036ef463b969f0c531ec073585380687577e8776f8a7b8696df92bacb4 5918
mistelix_0.31-2.diff.gz
d6507f4b93fad119ecbe8898c9b44831f06f38f21e15b24f63d7601c236a2f47 1212590
mistelix_0.31-2_amd64.deb
Files:
6a0c10064ab6c9cdebf88cc58d68e3fc 1843 graphics optional mistelix_0.31-2.dsc
82bf4f7017e74838cd3f5215cc547c56 5918 graphics optional mistelix_0.31-2.diff.gz
ae1e289788db48432637193c571e4511 1212590 graphics optional
mistelix_0.31-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJMqE5CAAoJEMkPnLkOH60MXoAIALHFJV3pDXvhG4uTCa2wbd5M
BjRwPIGEnSd2EoMQeIsJVLNZYWfnJDn6Qg3raB/XPuc0r0pPql22VvfefBSMz7uq
pQCQPGbcXj3rHBpbv5kTJrDo4rH9BjBCT7b1T+Stg/pp2M31yonk46bjDIB6lUSt
hKRKilCQHaQOBAkd0jpPc7F5FpsTxrhHMueIl9Ql+rdbqrbEAlofNxLHCQlmNe6O
AtWxjD/lej/WysvP4K+/Bjg0CCVymnrKuQy2NEM5KUaraXIqetV3v8kLmxm5oslk
CC8egbeW8XINlqwqH/e2nZfWHRcEUy4JmrunglP1blrS+8PXmD15VjWWh91Hcu4=
=9J5Z
-----END PGP SIGNATURE-----
--- End Message ---
