Your message dated Wed, 29 Sep 2010 13:32:10 +0000
with message-id <e1p0wlw-0000jv...@franck.debian.org>
and subject line Bug#598285: fixed in bristol 0.60.5-2
has caused the Debian Bug report #598285,
regarding bristol: CVE-2010-3351: insecure library loading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
598285: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bristol
Version: 0.60.5-1+b1
Severity: grave
Tags: security
User: t...@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Note that there's also a missing slash on the second entry (_usr_/lib.)

This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351

Sincerely,
Raphael Geissert



--- End Message ---
--- Begin Message ---
Source: bristol
Source-Version: 0.60.5-2

We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:

bristol-data_0.60.5-2_all.deb
  to main/b/bristol/bristol-data_0.60.5-2_all.deb
bristol_0.60.5-2.diff.gz
  to main/b/bristol/bristol_0.60.5-2.diff.gz
bristol_0.60.5-2.dsc
  to main/b/bristol/bristol_0.60.5-2.dsc
bristol_0.60.5-2_amd64.deb
  to main/b/bristol/bristol_0.60.5-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <ales...@debian.org> (supplier of updated bristol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 14:54:22 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <ales...@debian.org>
Description: 
 bristol    - vintage synthesizer emulator
 bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes: 
 bristol (0.60.5-2) unstable; urgency=high
 .
   * Add patch to solve security issue CVE-2010-3351:
     - Fix insecure library loading (Closes: #598285);
       bump urgency to high.
   * Add debian/gbp.conf file.
   * Bump Standards.
Checksums-Sha1: 
 4e801cbcca484b9dc0a6cf5e0f1359d09ffbdc3e 1412 bristol_0.60.5-2.dsc
 feff492d1e2f98a603b822224d534ff6b3e06ccc 7064 bristol_0.60.5-2.diff.gz
 775647f00f26966bb48f9e81827bb9828415dcba 926276 bristol_0.60.5-2_amd64.deb
 bebc4905e5605a094d12335756e7ea57c2fdfbc2 2836038 bristol-data_0.60.5-2_all.deb
Checksums-Sha256: 
 d605ee10509fecb99ec199fd7fa5f6dff7bf4ed855f08bb5e0c968d3022661be 1412 
bristol_0.60.5-2.dsc
 ceec75443b8b1d42fc937e87c9b9d8794f7a73a9e1736f67fa0598dcc374e991 7064 
bristol_0.60.5-2.diff.gz
 a43d53f3f915983a735b2c7747d307d5813ef7d45e071f6a01e512ed776c2506 926276 
bristol_0.60.5-2_amd64.deb
 9c586c0bcba1213edbbd0de3ac0930bbff9ba22064dbf2d9c7ec503bac98d68f 2836038 
bristol-data_0.60.5-2_all.deb
Files: 
 687035eb38c0409dd018b5c93eea63de 1412 sound optional bristol_0.60.5-2.dsc
 715577ed3f68306753cb2312d809b3c3 7064 sound optional bristol_0.60.5-2.diff.gz
 2745fc9b42f3f6acb5f69044fc862abc 926276 sound optional 
bristol_0.60.5-2_amd64.deb
 b00a5a5b07404180ed5df7802438006b 2836038 sound optional 
bristol-data_0.60.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyjO+wACgkQRdSMfNz8P9Cp1wCdHVQl8/qnW5pkp+JE1UL56zk3
egIAmQG4zhXdXagMIbwuMD9KLtkr9tbg
=iKm2
-----END PGP SIGNATURE-----



--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to