Hi again! * Gerfried Fuchs <rho...@deb.at> [2010-08-30 14:40:28 CEST]: > * Moritz Muehlenhoff <j...@debian.org> [2010-08-25 21:50:53 CEST]: > > Package: couchdb > > Severity: grave > > Tags: security > > > > The vulnerability was introduced by Debian patch > > "mozjs1.9_ldlibpath.patch" on 3/24/2009. > > I fail to find this patch neither in the lenny package nor in the > squeeze package, and there was no changelog entry or upload around the > mentioned time. Are you sure about these fineprints?
Alright, after some chat with Moritz and other security people I better understand the issue, the patch icu-config.patch in the lenny package also has the problem, it would depend on an already set LD_LIBRARY_PATH environment variable. In the case it isn't set (which is the default) it has the insecure behavior depending on the current directory. A test for existence of the variable should be done and depending on that either get extended or explicitly set only to the variable. I though question the need of the patch - /usr/lib is searched by default anyway? What's the background of that? I didn't find any hint in the changelog - and that's one of the reasons why a comment in the patch file would be really helpful. :) Thanks! Rhonda -- https://flattr.com/thing/47066/Debian-BTS-cleaning-up -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
