Your message dated Sat, 30 Oct 2010 16:02:19 +0000
with message-id <[email protected]>
and subject line Bug#598418: fixed in magics++ 2.10.0.dfsg-5.1
has caused the Debian Bug report #598418,
regarding libmagics++-dev: CVE-2010-3393: insecure library loading
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
598418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598418
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libmagics++-dev
Version: 2.10.0.dfsg-4
Severity: important
Tags: security
User: [email protected]
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/magics-config line 105:
echo " export LD_LIBRARY_PATH=${prefix}/lib:\$LD_LIBRARY_PATH"
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
While magics-config itself is not vulnerable, the generated code is.
This vulnerability has been assigned the CVE id CVE-2010-3393. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3393
[1] http://security-tracker.debian.org/tracker/CVE-2010-3393
Sincerely,
Raphael Geissert
--- End Message ---
--- Begin Message ---
Source: magics++
Source-Version: 2.10.0.dfsg-5.1
We believe that the bug you reported is fixed in the latest version of
magics++, which is due to be installed in the Debian FTP archive:
libmagics++-data_2.10.0.dfsg-5.1_all.deb
to main/m/magics++/libmagics++-data_2.10.0.dfsg-5.1_all.deb
libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
to main/m/magics++/libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
libmagplus3_2.10.0.dfsg-5.1_i386.deb
to main/m/magics++/libmagplus3_2.10.0.dfsg-5.1_i386.deb
magics++_2.10.0.dfsg-5.1.debian.tar.gz
to main/m/magics++/magics++_2.10.0.dfsg-5.1.debian.tar.gz
magics++_2.10.0.dfsg-5.1.dsc
to main/m/magics++/magics++_2.10.0.dfsg-5.1.dsc
magics++_2.10.0.dfsg-5.1_i386.deb
to main/m/magics++/magics++_2.10.0.dfsg-5.1_i386.deb
python-magics++_2.10.0.dfsg-5.1_i386.deb
to main/m/magics++/python-magics++_2.10.0.dfsg-5.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jari Aalto <[email protected]> (supplier of updated magics++ package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Oct 2010 19:20:57 +0300
Source: magics++
Binary: libmagplus3 libmagics++-dev magics++ python-magics++ libmagics++-data
Architecture: source all i386
Version: 2.10.0.dfsg-5.1
Distribution: unstable
Urgency: low
Maintainer: Alastair McKinstry <[email protected]>
Changed-By: Jari Aalto <[email protected]>
Description:
libmagics++-data - Data files needed for magics++ library
libmagics++-dev - Development files for ECMWF plotting software MAGICS++
libmagplus3 - ECMWF meteorological plotting software library
magics++ - Executables for the magics++ library
python-magics++ - python support for Magics++
Closes: 598418
Changes:
magics++ (2.10.0.dfsg-5.1) unstable; urgency=low
.
* Non-maintainer upload.
* debian/patches
- (cve-2010-3393--bug598418): Refresh patch. Restore deleted line
'python="@MAGICS_PYTHON@"' and adjust $ldlib.
(important, security, reopened; Closes: #598418).
Checksums-Sha1:
7a0d6ed9961e931b4aa0a4f3cc8d9700ca3359ef 2136 magics++_2.10.0.dfsg-5.1.dsc
703059827ad5f4dbe4c4e4268b39d1549c7cf36f 909288
magics++_2.10.0.dfsg-5.1.debian.tar.gz
c5be29e4668e9aa5c102de4d1759f452117ca716 4071782
libmagics++-data_2.10.0.dfsg-5.1_all.deb
e18314a2186479b3c3bfcf7fd95156d5de2d306a 2684178
libmagplus3_2.10.0.dfsg-5.1_i386.deb
bad468550626acd712aa75d94a07879133c7870d 7576216
libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
af070e3de7188709146ee528bc5fe0476c144e24 18784
magics++_2.10.0.dfsg-5.1_i386.deb
ca289decdc4a8ed6efdd21e6836924c423898ec7 38496
python-magics++_2.10.0.dfsg-5.1_i386.deb
Checksums-Sha256:
afe5c939da28f7e176c09875f565dac23a398636fb3cc5f5e5f645ed924d077f 2136
magics++_2.10.0.dfsg-5.1.dsc
cadfd7faf94b95c51122c4f0ded6334d1661fed922f2ce726b3160fec7ed418c 909288
magics++_2.10.0.dfsg-5.1.debian.tar.gz
432502110b2d2f0f78d2816292e6f2b286b1b613292014cc8d8dfd4227ed4c41 4071782
libmagics++-data_2.10.0.dfsg-5.1_all.deb
f6db05ff896a097d6b76bd400cde61d25293c9b3c53b7182bff0fb2acb312788 2684178
libmagplus3_2.10.0.dfsg-5.1_i386.deb
9aeff89048d15f0ced2c09777e9cf88520209fa10ada368c454995222c80918a 7576216
libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
0e6def7108202c0707e46af95ba7cdfd9319cbf88e1f7ee94a38f6ce0ca73021 18784
magics++_2.10.0.dfsg-5.1_i386.deb
251d0df305530a526a67b8582f0c9baac1b165c46437b23be0f283801b9f3c00 38496
python-magics++_2.10.0.dfsg-5.1_i386.deb
Files:
06a696bf24ce4f3a631fb1a542f70fcc 2136 utils optional
magics++_2.10.0.dfsg-5.1.dsc
af72d2d8118273f49504fed03a04c44b 909288 utils optional
magics++_2.10.0.dfsg-5.1.debian.tar.gz
39a9524fbf8b0e47c4642e27606e6d3f 4071782 utils optional
libmagics++-data_2.10.0.dfsg-5.1_all.deb
3784d144be8faa2285c081e3a30e543c 2684178 libs optional
libmagplus3_2.10.0.dfsg-5.1_i386.deb
4effb2939a322d970c51f2a44e6046de 7576216 libdevel optional
libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
9d4af7a479f5285ec7fd1c9caaa49491 18784 utils optional
magics++_2.10.0.dfsg-5.1_i386.deb
75fc4dba6e2dd1e7b9a1764dfae8c3e6 38496 python optional
python-magics++_2.10.0.dfsg-5.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMxaJ/AAoJECHSBYmXSz6WfDMQAMdrWt718arv04w26axaqe61
xlSKxZfiM0g+DlaFRkrXJCkQCY9PbhMwFEAMNTJi+sMcKgHAel5Y9GT3r3Xun0DC
zdXljqPFgyYKZlQ3YZEmyywu/JQY2HAbwGieS7S8mmMhAcSzuP2hWFqVJ7bXtAMl
hDReqMW0oj90nNucCAjl6WEKUpDIV931GIBYcCDX2xE2adhviT2GpX5qtpuK6f/M
Y4tyXrkGwSlh7rlAz1coq44C1tvi4ROjNMgvyEE7mXZ6w/enRym5Y+urea6q6igu
UieP2h/eX/1KWR9tX8lAhzhnHWe3v1JoTvCuzVC/p1Wc3Bn2kXEeDMYh780LnBSr
vo6HGYnRPDnP2eykG9tXy2OH8eFS8LJ0lpRx/zf73tKnDxdKKZFspS1yCaedPZqQ
I2OQ4QuG4XLGuKWZ5AQZDZ84eae1Xlkmgx08ineNwE+/oi8UMvdSvLh6lPZTBfaD
ACiHP2o73dVjaVqJRgwBkd8KTjep/rEZ1YQjOMfliJ0rzQRkC4xZYrpmqCvUwAdR
Rsa0/ijCHYJDiJS7otN56dHwROJjfkYbh6cM+C+kOo+M2WGkIfH0vtN11uFG2BS5
i4fYa9jvOAj8EttCCB6YXId5HIQTQqdn/2Nzc5lNC9EE7ahOCIvwklOCfjZnOmai
QgWzJ7t35z5t9V5chIc9
=993m
-----END PGP SIGNATURE-----
--- End Message ---
