Bug#594414: marked as done (CVE-2010-2945: insecure PATH assignment)

Debian Bug Tracking System Wed, 25 Aug 2010 21:51:24 -0700

Your message dated Thu, 26 Aug 2010 04:47:07 +0000
with message-id <e1oouml-0008fb...@franck.debian.org>
and subject line Bug#594414: fixed in slim 1.3.1-7
has caused the Debian Bug report #594414,
regarding CVE-2010-2945: insecure PATH assignment
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
594414: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594414
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: slim
Severity: grave
Tags: security

The following was reported to oss-security:

--

SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included './'. This allowed unintentional code execution (e.g.
planted binary) and has been fixed by the developers in version 1.3.2.

Fix:
http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171

--

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages slim depends on:
ii  debconf [debconf-2.0]         1.5.35     Debian configuration management sy
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.4.4-9  GCC support library
ii  libjpeg62                     6b1-1      The Independent JPEG Group's JPEG 
ii  libpam0g                      1.1.1-4    Pluggable Authentication Modules l
ii  libpng12-0                    1.2.44-1   PNG library - runtime
ii  libstdc++6                    4.4.4-9    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.3.3-3  X11 client-side library
ii  libxft2                       2.1.14-2   FreeType-based font drawing librar
ii  libxmu6                       2:1.0.5-1  X11 miscellaneous utility library

slim recommends no packages.

Versions of packages slim suggests:
pn  scrot                         <none>     (no description available)

--- End Message ---

--- Begin Message ---

Source: slim
Source-Version: 1.3.1-7

We believe that the bug you reported is fixed in the latest version of
slim, which is due to be installed in the Debian FTP archive:

slim_1.3.1-7.diff.gz
  to main/s/slim/slim_1.3.1-7.diff.gz
slim_1.3.1-7.dsc
  to main/s/slim/slim_1.3.1-7.dsc
slim_1.3.1-7_amd64.deb
  to main/s/slim/slim_1.3.1-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwama...@debian.org> (supplier of updated slim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Aug 2010 12:40:13 +0900
Source: slim
Binary: slim
Architecture: source amd64
Version: 1.3.1-7
Distribution: unstable
Urgency: high
Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwama...@debian.org>
Description: 
 slim       - desktop-independent graphical login manager for X11
Closes: 586593 594414
Changes: 
 slim (1.3.1-7) unstable; urgency=high
 .
   * Update debian/control.
     - Bump up Standards-Version to 3.9.1.
   * Fix show black screen on On kfreebsd (Closes: #586593).
     debian/patches/fix-black-screen.patch
   * Fix CVE-2010-2945: insecure PATH assignment (Closes: #594414).
     debian/patches/insecure_PATH_assignment.patch
Checksums-Sha1: 
 82ef5b635019cf893c6b54cbabb6ec7a0859c465 1116 slim_1.3.1-7.dsc
 01f430bcc830eefdee54d13e950ed616661b8f29 666173 slim_1.3.1-7.diff.gz
 64e807c96b94eec44691b14d732332989238b319 815724 slim_1.3.1-7_amd64.deb
Checksums-Sha256: 
 bb405a8d11e7cb99a8bc8530d41a43f87affef39e4c5e42905f8e7f20aef0244 1116 
slim_1.3.1-7.dsc
 08cb4864fff654eca0a0d430eca4b96ffb48d91cba0300057274e178de4f4403 666173 
slim_1.3.1-7.diff.gz
 0857ec9b777960935d0102996d531b3c5778b6cbccd8157cdb0991bf2b2eceff 815724 
slim_1.3.1-7_amd64.deb
Files: 
 b275ff3db0ca6fef8ed687e908899c28 1116 x11 optional slim_1.3.1-7.dsc
 b458957b7f41411d3449dae8341de536 666173 x11 optional slim_1.3.1-7.diff.gz
 2b1edaaf44fdd3b123523c3a815a1466 815724 x11 optional slim_1.3.1-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx18DgACgkQQSHHQzFw6+lj+ACgpYI0aY3FSca+lJDhqkiTHiDe
KN8AnjkuwH5K6BIluPptzfHHRuZPVNWe
=zWfI
-----END PGP SIGNATURE-----

--- End Message ---

Bug#594414: marked as done (CVE-2010-2945: insecure PATH assignment)

Reply via email to