Bug#598296: marked as done (libvips-tools: CVE-2010-3364: insecure library loading)

[Debian Bug Tracking System]

Your message dated Sat, 09 Oct 2010 22:02:37 +0000
with message-id <e1p4huz-0005sd...@franck.debian.org>
and subject line Bug#598296: fixed in vips 7.22.4-1
has caused the Debian Bug report #598296,
regarding libvips-tools: CVE-2010-3364: insecure library loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libvips-tools
Version: 7.22.2-2+b1
Severity: grave
Tags: security
User: t...@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/vips-7.22 line 108:
        export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3364. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364
[1] http://security-tracker.debian.org/tracker/CVE-2010-3364

Sincerely,
Raphael Geissert

--- End Message ---

--- Begin Message ---

Source: vips
Source-Version: 7.22.4-1

We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive:

libvips-dev_7.22.4-1_amd64.deb
  to main/v/vips/libvips-dev_7.22.4-1_amd64.deb
libvips-doc_7.22.4-1_all.deb
  to main/v/vips/libvips-doc_7.22.4-1_all.deb
libvips-tools_7.22.4-1_amd64.deb
  to main/v/vips/libvips-tools_7.22.4-1_amd64.deb
libvips15_7.22.4-1_amd64.deb
  to main/v/vips/libvips15_7.22.4-1_amd64.deb
python-vipscc_7.22.4-1_amd64.deb
  to main/v/vips/python-vipscc_7.22.4-1_amd64.deb
vips_7.22.4-1.debian.tar.gz
  to main/v/vips/vips_7.22.4-1.debian.tar.gz
vips_7.22.4-1.dsc
  to main/v/vips/vips_7.22.4-1.dsc
vips_7.22.4.orig.tar.gz
  to main/v/vips/vips_7.22.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <q...@debian.org> (supplier of updated vips package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Oct 2010 10:39:23 -0400
Source: vips
Binary: libvips15 libvips-dev libvips-tools python-vipscc libvips-doc
Architecture: source all amd64
Version: 7.22.4-1
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <q...@debian.org>
Changed-By: Jay Berkenbilt <q...@debian.org>
Description: 
 libvips-dev - image processing system good for very large images (dev)
 libvips-doc - image processing system good for very large images (doc)
 libvips-tools - image processing system good for very large images (tools)
 libvips15  - image processing system good for very large images
 python-vipscc - image processing system good for very large images (tools)
Closes: 598296
Changes: 
 vips (7.22.4-1) unstable; urgency=low
 .
   * New upstream release
   * Upstream release includes fix to CVE-2010-3364: insecure library
     loading.  (Closes: #598296)
Checksums-Sha1: 
 39ae95983d9dfcd673dbbe82bb2a80173e36ea34 2113 vips_7.22.4-1.dsc
 77fb29e97b31b45ae62e163f379e5bd7397e703f 3226315 vips_7.22.4.orig.tar.gz
 3fe60aa2b7aec11ec4a051b025c874c47a1853ba 7410 vips_7.22.4-1.debian.tar.gz
 05bf3d5e622a82ad5714d1caf23f742347d089a7 423696 libvips-doc_7.22.4-1_all.deb
 0e6b44c2adbcbb97517dd1e75fc08173e20d9db4 655792 libvips15_7.22.4-1_amd64.deb
 352756020a1548a80d40a3aba5f2c587932e4b85 1003778 libvips-dev_7.22.4-1_amd64.deb
 bfa9f1acaca3f4ed7f2fdaac4dcf906b50b699ce 88586 libvips-tools_7.22.4-1_amd64.deb
 0608f76ded31bb717ef9038919b4550bdeccd63c 1615832 
python-vipscc_7.22.4-1_amd64.deb
Checksums-Sha256: 
 3117c26dc09ee5803525f1a07a21d7d13cd0ba0c45405f41552ef95d5ccf97ee 2113 
vips_7.22.4-1.dsc
 b46e261208d83fc79ca3a3c87c54ccac432d1d2117c3f789715491e35bb9a514 3226315 
vips_7.22.4.orig.tar.gz
 911265225b1958017114d1cafbd2595e390b70a180f4678e53f9cb81b45cafbf 7410 
vips_7.22.4-1.debian.tar.gz
 1840204f940f7682d01e8e1555ec54a32d6d6c464e5f7511308a5cfb135f1a03 423696 
libvips-doc_7.22.4-1_all.deb
 48a73ca56e41931aea4e695d09459718e0f1fdd4fbab97b7890aa12e2813338f 655792 
libvips15_7.22.4-1_amd64.deb
 0144130e9acfa47ba1e967b1d421de3ee250130fd613f21479f7a1e5d7c6624d 1003778 
libvips-dev_7.22.4-1_amd64.deb
 3a9521efc8a1fae19fe61475dcba87314266ccb558dfbbd9f601069b67bc4836 88586 
libvips-tools_7.22.4-1_amd64.deb
 06b653a8cc98c4ca769cf277fb2f493c968705dafd87f21c4f7f104ef9da6823 1615832 
python-vipscc_7.22.4-1_amd64.deb
Files: 
 c7387669fe9a2c1c16c49262bc6c27af 2113 libs optional vips_7.22.4-1.dsc
 852913223ce5dc115bc7088e7c9d1596 3226315 libs optional vips_7.22.4.orig.tar.gz
 fae86735d17418fa47c39202535ef40d 7410 libs optional vips_7.22.4-1.debian.tar.gz
 3a2a06adf8f73d965672318a6e664af3 423696 doc optional 
libvips-doc_7.22.4-1_all.deb
 473565858298c0bdd8cd4edf15b8217a 655792 libs optional 
libvips15_7.22.4-1_amd64.deb
 18fe49642606d9b454dd72fc546f0957 1003778 libdevel optional 
libvips-dev_7.22.4-1_amd64.deb
 ceb39a028624bd48ab1e2bb840e527bb 88586 graphics optional 
libvips-tools_7.22.4-1_amd64.deb
 72407f9cfee4dce66661c4bf1e93f59d 1615832 python optional 
python-vipscc_7.22.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMsIQLAAoJEIp10QmYASx+dWMP/1eWLgAqSC3F9vhBWm3pFgwK
Q1sKxpfvja92pkFakSCVUcdSn2s10K6lZzRfQMEMlVai6x9YduddkZQWDALdDg4h
pm7b1Yrl7hBLpZRGbvpT7Wh7mOKPTkwHd6A8N8Rzi5FPyR6ezfn03Pk44ttNTNqC
UZaIqS7AqWTGEcsvaqlniBAbQNsXELo7ytc0boG7fZ24wGyaIeeIjyVAg0XdL2Gn
W011RU1+sWR/NcpbXGD3EUvRrSuUXtx2h/Q8rlQLUI7NpmYb0EO+jt7WZlVJbFuR
ZhWuyLdiwSyzFzOoA1cc90y0KsMEILn8UyiDFHzhYHc8Z4yc2/2evq/YJsIvuVxL
rclyPpUH5GnRpGUz3/SthAErwOoiDOQIyaOw3jwtQHzLw4TwX9F06h38oRpCNgU4
ipIuMkp4rrMV6Dxw6I6SUbzAWBSqShMLf2NSYd83EKQ99EriclSet0oAycSJqp8H
VlTn0OKhRriAK4GM1JNbU8MG2HADn3MLjPXcS4AQQJsdVDRP2gpOiQaPtoUevidk
tnqM5mjwpu/4rpjKlhu3UPGIsLafOQM4A3ccHNiVunMYWNoK3sJntEJCJX5MkjJC
u9bfPoFYMOTsMFvW/eq4lbRsfjC3Q+OOPKuSIP+enn2vPAg5dRyojL3smwzql4ay
uLTxHvdHf/YPJZYjKY8z
=DKos
-----END PGP SIGNATURE-----

--- End Message ---