Bug#598501: unblock: bristol/0.60.5-2
Ok, now should be fine: diff --git a/debian/changelog b/debian/changelog index b2e88d5..942ccb3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +bristol (0.60.5-3) unstable; urgency=low + + * Drop all unnecessary 'export' statements. + + -- Alessio Treglia ales...@debian.org Fri, 15 Oct 2010 13:32:22 +0200 + bristol (0.60.5-2) unstable; urgency=high * Add patch to solve security issue CVE-2010-3351: diff --git a/debian/patches/90-CVE_insecure_library_loading.patch b/debian/patches/90-CVE_insecure_library_loading.patch index a6fc40e..2740582 100644 --- a/debian/patches/90-CVE_insecure_library_loading.patch +++ b/debian/patches/90-CVE_insecure_library_loading.patch @@ -2,17 +2,19 @@ Subject: Fix insecure library loading - CVE-2010-3351. Origin: upstream, https://sourceforge.net/support/tracker.php?aid=3077160 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285 --- - bin/startBristol.in |2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + bin/startBristol.in |4 + 1 file changed, 4 deletions(-) --- bristol.orig/bin/startBristol.in +++ bristol/bin/startBristol.in -@@ -347,7 +347,7 @@ fi +@@ -347,10 +347,6 @@ fi export SLAB_HOME=$BRISTOL export BRIGHTON=$BRISTOL -export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib -+export ld_library_pa...@bristol_dir@/lib:/usr/local/lib:/usr/lib:/lib - - export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin - +- +-export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin +- + if [ $jack -eq 1 ]; then + ldd `which bristol` | grep jack /dev/null 21 + if [ $? -ne 0 ]; then -- Alessio Treglia ales...@debian.org Debian Ubuntu Developer | Homepage: http://www.alessiotreglia.com 0FEC 59A5 E18E E04F 6D40 593B 45D4 8C7C DCFC 3FD0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
On Thu, Oct 7, 2010 at 9:30 PM, Adam D. Barratt a...@adam-barratt.org.uk wrote: Any news on that? Back home few hours ago, I'll fix it ASAP. -- Alessio Treglia ales...@debian.org Debian Ubuntu Developer | Homepage: http://www.alessiotreglia.com 0FEC 59A5 E18E E04F 6D40 593B 45D4 8C7C DCFC 3FD0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
Here is the diff. Built and tested. diff --git a/debian/changelog b/debian/changelog index b2e88d5..16d0e66 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +bristol (0.60.5-3) unstable; urgency=low + + * Exporting unmodified PATH is unnecessary. Drop +/usr/share/bristol/lib from the LD_LIBRARY_PATH. + + -- Alessio Treglia ales...@debian.org Thu, 14 Oct 2010 12:55:41 +0200 + bristol (0.60.5-2) unstable; urgency=high * Add patch to solve security issue CVE-2010-3351: diff --git a/debian/patches/90-CVE_insecure_library_loading.patch b/debian/patches/90-CVE_insecure_library_loading.patch index a6fc40e..7fc156d 100644 --- a/debian/patches/90-CVE_insecure_library_loading.patch +++ b/debian/patches/90-CVE_insecure_library_loading.patch @@ -2,17 +2,19 @@ Subject: Fix insecure library loading - CVE-2010-3351. Origin: upstream, https://sourceforge.net/support/tracker.php?aid=3077160 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285 --- - bin/startBristol.in |2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + bin/startBristol.in |4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) --- bristol.orig/bin/startBristol.in +++ bristol/bin/startBristol.in -@@ -347,7 +347,7 @@ fi +@@ -347,9 +347,7 @@ fi export SLAB_HOME=$BRISTOL export BRIGHTON=$BRISTOL -export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib -+export ld_library_pa...@bristol_dir@/lib:/usr/local/lib:/usr/lib:/lib - - export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin +- +-export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin ++export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/lib + if [ $jack -eq 1 ]; then + ldd `which bristol` | grep jack /dev/null 21 -- Alessio Treglia ales...@debian.org Debian Ubuntu Developer | Homepage: http://www.alessiotreglia.com 0FEC 59A5 E18E E04F 6D40 593B 45D4 8C7C DCFC 3FD0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
On Thu, 2010-10-14 at 14:48 +0200, Alessio Treglia wrote: Here is the diff. Thanks. + * Exporting unmodified PATH is unnecessary. Drop +/usr/share/bristol/lib from the LD_LIBRARY_PATH. [...] - export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin +- +-export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin That doesn't seem to be an unmodified PATH? (apologies if I'm missing something) Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
On Thu, Oct 14, 2010 at 14:48:18 +0200, Alessio Treglia wrote: ++export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/lib That still seems useless. Cheers, Julien signature.asc Description: Digital signature
Bug#598501: unblock: bristol/0.60.5-2
On Fri, 2010-10-01 at 03:00 +0200, Alessio Treglia wrote: On Wed, Sep 29, 2010 at 9:43 PM, Adam D. Barratt a...@adam-barratt.org.uk wrote: +-export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib ++export ld_library_pa...@bristol_dir@/lib:/usr/local/lib:/usr/lib:/lib + + export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin Should that be ${BRISTOL} rather than @bristol_...@? It gets replaced by ${BRISTOL}, which contains /usr/share/bristol/ and it is unnecessary at all. We may remove it, I think. Any news on that? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
Hi Adam, thanks for reviewing this! On Wed, Sep 29, 2010 at 9:43 PM, Adam D. Barratt a...@adam-barratt.org.uk wrote: On Wed, 2010-09-29 at 15:34 +0200, Alessio Treglia wrote: Please unblock package bristol 0.60.5-2, which fixes the 'grave' bug #598285 (CVE-2010-3351: insecure library loading). and removes potentially useful functionality in the process :-/ (although forcing /usr/local/lib and usr/lib (sic) ahead of LD_LIBRARY_PATH is a little odd anyway) + export SLAB_HOME=$BRISTOL + export BRIGHTON=$BRISTOL + +-export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib ++export ld_library_pa...@bristol_dir@/lib:/usr/local/lib:/usr/lib:/lib + + export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin Should that be ${BRISTOL} rather than @bristol_...@? It gets replaced by ${BRISTOL}, which contains /usr/share/bristol/ and it is unnecessary at all. We may remove it, I think. -- Alessio Treglia ales...@debian.org Debian Ubuntu Developer | Homepage: http://www.alessiotreglia.com 0FEC 59A5 E18E E04F 6D40 593B 45D4 8C7C DCFC 3FD0 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package bristol 0.60.5-2, which fixes the 'grave' bug #598285 (CVE-2010-3351: insecure library loading). The changelog entry follows: bristol (0.60.5-2) unstable; urgency=high * Add patch to solve security issue CVE-2010-3351: - Fix insecure library loading (Closes: #598285); bump urgency to high. * Add debian/gbp.conf file. * Bump Standards. -- Alessio Treglia ales...@debian.org Wed, 29 Sep 2010 14:54:22 +0200 unblock bristol/0.60.5-2 -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598501: unblock: bristol/0.60.5-2
On Wed, 2010-09-29 at 15:34 +0200, Alessio Treglia wrote: Please unblock package bristol 0.60.5-2, which fixes the 'grave' bug #598285 (CVE-2010-3351: insecure library loading). and removes potentially useful functionality in the process :-/ (although forcing /usr/local/lib and usr/lib (sic) ahead of LD_LIBRARY_PATH is a little odd anyway) + export SLAB_HOME=$BRISTOL + export BRIGHTON=$BRISTOL + +-export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib ++export ld_library_pa...@bristol_dir@/lib:/usr/local/lib:/usr/lib:/lib + + export PATH=${PATH}:$BRISTOL/bin:/usr/local/bin Should that be ${BRISTOL} rather than @bristol_...@? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org