Your message dated Wed, 29 Sep 2010 10:17:26 +0000
with message-id <e1p0tj4-00068w...@franck.debian.org>
and subject line Bug#598285: fixed in bristol 0.60.6-2
has caused the Debian Bug report #598285,
regarding bristol: CVE-2010-3351: insecure library loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598285: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bristol
Version: 0.60.5-1+b1
Severity: grave
Tags: security
User: t...@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Note that there's also a missing slash on the second entry (_usr_/lib.)

This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351

Sincerely,
Raphael Geissert



--- End Message ---
--- Begin Message ---
Source: bristol
Source-Version: 0.60.6-2

We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:

bristol-data_0.60.6-2_all.deb
  to main/b/bristol/bristol-data_0.60.6-2_all.deb
bristol_0.60.6-2.debian.tar.gz
  to main/b/bristol/bristol_0.60.6-2.debian.tar.gz
bristol_0.60.6-2.dsc
  to main/b/bristol/bristol_0.60.6-2.dsc
bristol_0.60.6-2_amd64.deb
  to main/b/bristol/bristol_0.60.6-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <ales...@debian.org> (supplier of updated bristol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 12:03:25 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.6-2
Distribution: experimental
Urgency: low
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <ales...@debian.org>
Description: 
 bristol    - vintage synthesizer emulator
 bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes: 
 bristol (0.60.6-2) experimental; urgency=low
 .
   * Add patch to prevent insecure library loading;
     Closes: #598285, CVE-2010-3351
   * Add local-options file.
Checksums-Sha1: 
 7669fa9394d9c355e86aa5dc95d7bd86dbc0991f 1386 bristol_0.60.6-2.dsc
 d7664ed696708c5041903292fa2e31fc4db690c8 7681 bristol_0.60.6-2.debian.tar.gz
 4c1c740e3a7fd80a72a2a00f96efbae684b20e94 927750 bristol_0.60.6-2_amd64.deb
 3c01d806c15882318c60911d9fcd94d0a6a1625c 2837258 bristol-data_0.60.6-2_all.deb
Checksums-Sha256: 
 d318897c7801a502ee6978188b0465d46916750223c718c484a1958a88805794 1386 
bristol_0.60.6-2.dsc
 d00054983c6642fcff1149c49057059452167561eacf218fa2053814178fda8a 7681 
bristol_0.60.6-2.debian.tar.gz
 de4642c894aa2712272b16bb89b668c1916649cd7841dffce68736168fcbbfcd 927750 
bristol_0.60.6-2_amd64.deb
 89f3fd01f8801db7e54d22288227d416e3f90965fa69dc13a2dbb90ad6b7b1d0 2837258 
bristol-data_0.60.6-2_all.deb
Files: 
 569d0ecb288452c7cfd994ae3ea05578 1386 sound optional bristol_0.60.6-2.dsc
 a77accab6e648c854bf788c1b391ba46 7681 sound optional 
bristol_0.60.6-2.debian.tar.gz
 d8ac3c70bbce2c152e6cab578766d535 927750 sound optional 
bristol_0.60.6-2_amd64.deb
 f0951ceb1ace630f4e86698baee4473a 2837258 sound optional 
bristol-data_0.60.6-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyjEE8ACgkQRdSMfNz8P9DLqwCfcjwO6u3jK/MjY7R9ShsOND/D
E1cAn3jmmI5+v2TVINcQ4LwQnSkhRtkP
=c4pu
-----END PGP SIGNATURE-----



--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to