Your message dated Wed, 29 Sep 2010 08:32:18 +0000
with message-id <e1p0s5k-0002la...@franck.debian.org>
and subject line Bug#598282: fixed in ardour 1:2.8.11-2
has caused the Debian Bug report #598282,
regarding ardour-i686: CVE-2010-3349: insecure library loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598282: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598282
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ardour-i686
Version: 1:2.8.11-1
Severity: grave
Tags: security
User: t...@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/ardour2 line 5:
export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH 

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3349. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3349
[1] http://security-tracker.debian.org/tracker/CVE-2010-3349

Sincerely,
Raphael Geissert



--- End Message ---
--- Begin Message ---
Source: ardour
Source-Version: 1:2.8.11-2

We believe that the bug you reported is fixed in the latest version of
ardour, which is due to be installed in the Debian FTP archive:

ardour-i686_2.8.11-2_i386.deb
  to main/a/ardour/ardour-i686_2.8.11-2_i386.deb
ardour_2.8.11-2.debian.tar.gz
  to main/a/ardour/ardour_2.8.11-2.debian.tar.gz
ardour_2.8.11-2.dsc
  to main/a/ardour/ardour_2.8.11-2.dsc
ardour_2.8.11-2_i386.deb
  to main/a/ardour/ardour_2.8.11-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Knoth <a...@drcomp.erfurt.thur.de> (supplier of updated ardour package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Sep 2010 16:44:12 +0200
Source: ardour
Binary: ardour ardour-altivec ardour-i686
Architecture: source i386
Version: 1:2.8.11-2
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Adrian Knoth <a...@drcomp.erfurt.thur.de>
Description: 
 ardour     - digital audio workstation (graphical gtk2 interface)
 ardour-altivec - digital audio workstation (graphical gtk2 interface) [altivec]
 ardour-i686 - digital audio workstation (graphical gtk2 interface) [i686]
Closes: 598282
Changes: 
 ardour (1:2.8.11-2) unstable; urgency=low
 .
   [ Jonas Smedegaard ]
   * Recommend iceweasel and only fallback on virtual www-browser, and
     drop superfluous fallback on firefox.
   * Refresh patch using shortinging options --no-timestamps --no-index -
     pab.
   * Maintain package relations in rules file.
   * Fix have ardour replace and conflict with itself (as same name is
     used as virtual name for other flavors).
   * Add quirk to recommend firefox (not iceweasel) for Ubuntu.
   * Rewrite copyright file to recent draft DEP5 machine-readable format.
   * Fix add verbatim text for a(nother) Libtool exception in
     debian/copyright.
 .
   [ Adrian Knoth ]
   * Unapply patches after git-buildpackage
   * Fix insecure library loading (Closes: #598282)
 .
   [ Luke Yelavich ]
   * debian/control: Do not explicitly depend on a particular version of
     jackd
Checksums-Sha1: 
 d2f0890b3cbcf95a5de6c8d8fd25fbb9528cfcb4 2592 ardour_2.8.11-2.dsc
 83a0643857fa092b6ce61def92d9190fb19c609c 56968 ardour_2.8.11-2.debian.tar.gz
 a9e2f2ee589ac17930f9ab92708e515b1ff8be3f 5305376 ardour_2.8.11-2_i386.deb
 bdc08058b9ea1547241eb26069ade309b3d93c6c 4921814 ardour-i686_2.8.11-2_i386.deb
Checksums-Sha256: 
 e2155241745955236a35f9248da3b692c81eb471d2a3e823cbb4ec1dfb3d5751 2592 
ardour_2.8.11-2.dsc
 527f8a9c3d5c684bf76f1e6746c386b138d95b70a699442e7ac2952bbd7d06e3 56968 
ardour_2.8.11-2.debian.tar.gz
 2de45d1dad096765fbcfa13ff02a3d71ff75a2e104920c8f8aac6838df731dec 5305376 
ardour_2.8.11-2_i386.deb
 723e06fcd51815a0764b87585f2077b6f4a303d34ffcb7cd0bfe3f5a0f5b1c73 4921814 
ardour-i686_2.8.11-2_i386.deb
Files: 
 8f96b21e10e111cfad22022867b41b67 2592 sound optional ardour_2.8.11-2.dsc
 10cad4b9df16445896320aa0909b697a 56968 sound optional 
ardour_2.8.11-2.debian.tar.gz
 c524ac735ca231fb00aaf059af45386e 5305376 sound optional 
ardour_2.8.11-2_i386.deb
 bfcf14b5a204392ac23530668ee1ffc5 4921814 sound optional 
ardour-i686_2.8.11-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMokGaAAoJEI8ytEIvUhB/dCIP/0fzQZEpFZHcJ4OeEoPYO3HT
rCU1+esyqfdCV1zsCq8X6+wP8xQDA6y/62BBNjjDsDOMKhSvqrh7RkJf27+vzRmZ
jEZK0mHevJohnNFkQtugCMWY4WU+apaSQuyoHvwBrDzpP8Pv+M5fLo7SyYNBekdk
GPz/AOrXrh3SvMfzUBdxgrdKAJxg2GsMjlHBjt8jC8C6xLEaGaOIseHiK3FcV8hV
p/tvHZJEou8vn0Df3r9o+lqsjhX2XxTSmNDJgsNHcGvorPcxhdASlg9ldDGD9kTG
dkG9Gx0Q1r7BLETDBfrJWAo4cgUrSWcZiK+Ruh2MQonAvT9yRdwBkZb1R4HNFfV5
FvUNQ0YCy0vKKpedDeBUFBCFpz7++K2StdszYIt2hnXPErBNSg6W5bR+iN1uPeKe
mpy0cXrUlB/31s6F/XhTG57xDjOgFXhFW9cyWxNsUEd8c9tYKRLA+Y2ek3FyfVJO
p9Nt27bsCE6+eEsepZYftGNs8cgIGkoLFMeXt+30i2d/SU11kt8wZQRq96K+Azdc
0BuEzq+X6m5s+h1FF8YEIcqEq02r0kUrfIlIKDfsJNd/uR+PBQVH+PnRf4f1eHW0
VgWwNkNj9nZHA2WT0qZrAfA3A1GOHlqOj0AosqFvpo05VN/UfbFPyoa7NllvnD15
2JpcXwBbk7YevexnzJLD
=IKzd
-----END PGP SIGNATURE-----



--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to