Your message dated Thu, 21 Aug 2008 18:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#495770: fixed in marble 0.6+svn837399-2
has caused the Debian Bug report #495770,
regarding marble has rpath to insecure location
(/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
495770: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495770
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: marble
Version: 0.6+svn837399-1
Severity: serious
Tags: security
Hello Carsten,
the amd64 marble package includes a ELF file
/usr/lib/marble/plugins/libMarbleStarsPlugin.so with a rpath pointing to
/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/.
There are others:
$chrpath /usr/lib/marble/plugins/*
/usr/lib/marble/plugins/libCompassFloatItem.so:
RPATH=/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/
/usr/lib/marble/plugins/libMapScaleFloatItem.so:
RPATH=/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/
/usr/lib/marble/plugins/libMarbleOverviewMap.so:
RPATH=/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/
/usr/lib/marble/plugins/libMarbleStarsPlugin.so:
RPATH=/tmp/buildd/marble-0.6+svn837399/debian/tmp/usr/
This allows an attacker with write access to that directory to
add modified libraries which will be loaded when someone
else run marble.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
--- End Message ---
--- Begin Message ---
Source: marble
Source-Version: 0.6+svn837399-2
We believe that the bug you reported is fixed in the latest version of
marble, which is due to be installed in the Debian FTP archive:
marble-data_0.6+svn837399-2_all.deb
to pool/main/m/marble/marble-data_0.6+svn837399-2_all.deb
marble_0.6+svn837399-2.diff.gz
to pool/main/m/marble/marble_0.6+svn837399-2.diff.gz
marble_0.6+svn837399-2.dsc
to pool/main/m/marble/marble_0.6+svn837399-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Wolff <[EMAIL PROTECTED]> (supplier of updated marble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 21 Aug 2008 19:07:15 +0200
Source: marble
Binary: marble marble-data
Architecture: source all
Version: 0.6+svn837399-2
Distribution: unstable
Urgency: high
Maintainer: Carsten Wolff <[EMAIL PROTECTED]>
Changed-By: Carsten Wolff <[EMAIL PROTECTED]>
Description:
marble - generic geographical map widget
marble-data - data files for Marble
Closes: 495770
Changes:
marble (0.6+svn837399-2) unstable; urgency=high
.
* removed rpath from the plugin libraries (security)
(Closes: #495770)
Checksums-Sha1:
3ef42b71ad7203d5b0f0bd1b7eee701eca7acd03 1042 marble_0.6+svn837399-2.dsc
df03d7107d235dae03fdeaeca9ca6d7a027310a8 10934 marble_0.6+svn837399-2.diff.gz
a362c0644faf012a7e507c34c795602c219c7ddc 20978436
marble-data_0.6+svn837399-2_all.deb
Checksums-Sha256:
4b5d5443f3a9dbbb75975db830caf63323f0a8e1be78fd675b67ccd8091ed210 1042
marble_0.6+svn837399-2.dsc
82924639bb56f41d939c58e3dc3fe526b2f1a6aa0ddd1c7818349cfe195fbf3e 10934
marble_0.6+svn837399-2.diff.gz
f8df908baf770fd7b0eb0e3ee78ab55a9b6273144fcee7ef79fec59592fba57d 20978436
marble-data_0.6+svn837399-2_all.deb
Files:
0c865805d3c9dc5c3302bb2d0b432ae3 1042 misc optional marble_0.6+svn837399-2.dsc
8e6f83886bf22bd4d998d3a6b71504f1 10934 misc optional
marble_0.6+svn837399-2.diff.gz
18ae089aedb934aefdcaf86242622db5 20978436 misc optional
marble-data_0.6+svn837399-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkitr/sACgkQST77jl1k+HDOagCeN767dSs5Is0a1pnkK69+/4Hc
Q84An1BSK5XObh5lT26KHgdmYNonwbTH
=08sf
-----END PGP SIGNATURE-----
--- End Message ---
