Bug#594414: stable-proposed-updates: package slim/1.3.0-1+lenny3

Fri, 27 Aug 2010 08:09:21 -0700 

Dear release team,

I prepared an upload to fix a minor security issue[0][1] in slim[2].
Full debdiff is attached.
Could you check this?

Best regards,
 Nobuhiro

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2945
[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594414
[2]: http://packages.qa.debian.org/s/slim.html

--
  Nobuhiro Iwamatsu / iwama...@debian.org


diff -u slim-1.3.0/debian/changelog slim-1.3.0/debian/changelog
--- slim-1.3.0/debian/changelog
+++ slim-1.3.0/debian/changelog
@@ -1,3 +1,10 @@
+slim (1.3.0-1+lenny3) stable; urgency=high
+
+  * CVE-2010-2945: insecure PATH assignment (cf. bug #594414)
+    debian/patches/07_fix_insecure_PATH_assignment.dpatch
+
+ -- Nobuhiro Iwamatsu <iwama...@debian.org>  Wed, 26 Aug 2010 12:42:53 +0900
+
 slim (1.3.0-1+lenny2) stable; urgency=high
 
   * Fixed CVE-2009-1756        : Patch to set mcookie for xauth through a pipe 
diff -u slim-1.3.0/debian/patches/00list slim-1.3.0/debian/patches/00list
--- slim-1.3.0/debian/patches/00list
+++ slim-1.3.0/debian/patches/00list
@@ -6,0 +7 @@
+07_fix_insecure_PATH_assignment.dpatch
only in patch2:
unchanged:
--- slim-1.3.0.orig/debian/patches/07_fix_insecure_PATH_assignment.dpatch
+++ slim-1.3.0/debian/patches/07_fix_insecure_PATH_assignment.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 07_fix_insecure_PATH_assignment.dpatch by Nobuhiro Iwamatsu 
<iwama...@debian.org>
+##
+## DP: CVE-2010-2945: insecure PATH assignment
+## SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
+## which included './'. This allowed unintentional code execution (e.g.
+## planted binary) and has been fixed by the developers in version 1.3.2.
+
+...@dpatch@
+--- a/cfg.cpp  2010-08-25 23:53:47.000000000 +0000
++++ b/cfg.cpp  2010-08-25 23:54:00.000000000 +0000
+@@ -28,7 +28,7 @@
+     : currentSession(-1)
+ {
+     // Configuration options
+-    
options.insert(option("default_path","./:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin"));
++    
options.insert(option("default_path","/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin"));
+     options.insert(option("default_xserver","/usr/X11R6/bin/X"));
+     options.insert(option("xserver_arguments",""));
+     options.insert(option("numlock",""));
+--- a/slim.conf.orig   2010-08-25 23:46:48.000000000 +0000
++++ b/slim.conf        2010-08-25 23:47:46.000000000 +0000
+@@ -1,6 +1,6 @@
+ # Path, X server and arguments (if needed)
+ # Note: -xauth $authfile is automatically appended
+-default_path        ./:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
++default_path        /bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ default_xserver     /usr/X11R6/bin/X
+ #xserver_arguments   -dpi 75
+

Attachment: signature.asc
Description: Digital signature

Reply via email to