Your message dated Wed, 13 Oct 2010 05:17:22 +0000 with message-id <e1p5tim-0001k9...@franck.debian.org> and subject line Bug#598307: fixed in tuxguitar 1.2-7 has caused the Debian Bug report #598307, regarding tuxguitar: CVE-2010-3385: insecure library loading to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598307: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598307 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tuxguitar Version: 1.2-6 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/tuxguitar line 129: export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$MOZILLA_FIVE_HOME" When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3385. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3385 [1] http://security-tracker.debian.org/tracker/CVE-2010-3385 Sincerely, Raphael Geissert
--- End Message ---
--- Begin Message ---Source: tuxguitar Source-Version: 1.2-7 We believe that the bug you reported is fixed in the latest version of tuxguitar, which is due to be installed in the Debian FTP archive: tuxguitar-alsa_1.2-7_i386.deb to main/t/tuxguitar/tuxguitar-alsa_1.2-7_i386.deb tuxguitar-fluidsynth_1.2-7_i386.deb to main/t/tuxguitar/tuxguitar-fluidsynth_1.2-7_i386.deb tuxguitar-jack_1.2-7_i386.deb to main/t/tuxguitar/tuxguitar-jack_1.2-7_i386.deb tuxguitar-jsa_1.2-7_all.deb to main/t/tuxguitar/tuxguitar-jsa_1.2-7_all.deb tuxguitar-oss_1.2-7_i386.deb to main/t/tuxguitar/tuxguitar-oss_1.2-7_i386.deb tuxguitar_1.2-7.debian.tar.gz to main/t/tuxguitar/tuxguitar_1.2-7.debian.tar.gz tuxguitar_1.2-7.dsc to main/t/tuxguitar/tuxguitar_1.2-7.dsc tuxguitar_1.2-7_all.deb to main/t/tuxguitar/tuxguitar_1.2-7_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 598...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated tuxguitar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Oct 2010 06:32:31 -0700 Source: tuxguitar Binary: tuxguitar tuxguitar-jsa tuxguitar-alsa tuxguitar-oss tuxguitar-fluidsynth tuxguitar-jack Architecture: source i386 all Version: 1.2-7 Distribution: unstable Urgency: medium Maintainer: Philippe Coval <r...@gna.org> Changed-By: tony mancill <tmanc...@debian.org> Description: tuxguitar - Multitrack guitar tablature editor and player (gp3 to gp5) tuxguitar-alsa - tuxguitar plugin for sound playback using ALSA tuxguitar-fluidsynth - tuxguitar plugin for sound playback using fluidsynth tuxguitar-jack - tuxguitar plugin for sound playback using JACKD tuxguitar-jsa - tuxguitar plugin for sound playback using Java Sound API tuxguitar-oss - tuxguitar plugin for sound playback using OSS Closes: 598307 Changes: tuxguitar (1.2-7) unstable; urgency=medium . * Apply patch for CVE-2010-3385 (Closes: #598307) Thanks to Etienne Millon Checksums-Sha1: affb3255eaf87ed7094a353e32f1fc4b54b87a2c 2043 tuxguitar_1.2-7.dsc 4c3f18c0fb5c2859ff2665f75140f0a56548eb94 9676 tuxguitar_1.2-7.debian.tar.gz 0eb6da221740907f7aaa7d40d62305b6d8af2d06 12362 tuxguitar-alsa_1.2-7_i386.deb 254563202d92362ac53e3799d5c90390e2c5c349 15512 tuxguitar-oss_1.2-7_i386.deb 4e9590a6724674d7e4afaa4cd5db434c1c3cf409 26404 tuxguitar-fluidsynth_1.2-7_i386.deb 576c8e2fdd5d412dbfb64ad6a2ffb397d0311f0f 35612 tuxguitar-jack_1.2-7_i386.deb dd6542adc9af81b58bf2483bf537eb7f1e77e836 3217462 tuxguitar_1.2-7_all.deb 8b968898b5df5410a885cfbc291042177a668f27 36088 tuxguitar-jsa_1.2-7_all.deb Checksums-Sha256: 264f5299491629b616a21dfa33d9ee6d89f590d9a4ea9f6721dfc19459c394ea 2043 tuxguitar_1.2-7.dsc 03065430d20bd255e1158de92922552fa060da339174100cfc0e75c1fe2d6abc 9676 tuxguitar_1.2-7.debian.tar.gz 4a93b7ed6452bdb3c54ab3bab758849a15593bc8c31dfd546769d56cf8ff26be 12362 tuxguitar-alsa_1.2-7_i386.deb f53778fabb148b896a41f9356e2f053a19febffa43c67e5617132a23ca34b4b5 15512 tuxguitar-oss_1.2-7_i386.deb a007c3de2717d41dda563af50b9e53678bcc370aa2fd272e49634c3b82f7e77f 26404 tuxguitar-fluidsynth_1.2-7_i386.deb 075d077190e0ebd8a9e8ce48abdb1f59a041dfde51aba6aeb3b4860867ef3a31 35612 tuxguitar-jack_1.2-7_i386.deb 63cb879ed0c82db11930684ae497600f99cec6163fe89197b292aa886180f992 3217462 tuxguitar_1.2-7_all.deb bbc2772fb53491e2eb98df300a10dc4730bf23c4accfa417e9b33e2bc20e3080 36088 tuxguitar-jsa_1.2-7_all.deb Files: 5304741533688acb43b98984b94e9f5e 2043 sound optional tuxguitar_1.2-7.dsc cf4419c719b6c6c368c1683f9fefdb70 9676 sound optional tuxguitar_1.2-7.debian.tar.gz 04c36271c0ab04eaced73d9ed91d3fe9 12362 sound optional tuxguitar-alsa_1.2-7_i386.deb 524c5f094760bf539ddd8be48facbe39 15512 sound extra tuxguitar-oss_1.2-7_i386.deb daf3aac5872a6972d51f8dfeea191807 26404 sound extra tuxguitar-fluidsynth_1.2-7_i386.deb 24dfb759f76e3a1779023c164a0d58bb 35612 sound extra tuxguitar-jack_1.2-7_i386.deb 4a647f3fce8e5cd67d0b65b92adfbe8f 3217462 sound optional tuxguitar_1.2-7_all.deb e2f74c463501a9f5e261087ac6f866cd 36088 sound optional tuxguitar-jsa_1.2-7_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMtTv/AAoJECHSBYmXSz6W+YUP/j2BS8t3McVVdopsxudZFfDz FhErTCozPZfsZJdqRbtZy8qj1joG4/Z8ahjVi8LevlezhgVomGLJXfn+1FM28eXr Y0zu+7cOCSEOUQN9ZSPm7CshzBmXvdj9Ay6NmJtggbf8IeoHcNfzqlphtUGp7ls5 ErfEbIXD5wAM5350EPS1UN0jbT+SpywXd2w1J9Ah2DP1O+MbxOUX15mhaF9k5oWm E5txp/rU1QBYup0zaKrMAqk67yJ6WIGYBFe3bMYaJH9YtSqmrBhILyjMyHKdOepl nTiUxUqvi4yoV3R7A16x28r8t3vxixqnHphcz5xbhfh2B97oZSS9/VDY/V91pRWL qN2mGQKYasYDUyXTYZAM1JAkvyvCu6tjjWMulp/s7IZeMUwiS3T/Sdv3JJoAwzvy L5IPJ0lrRBBRoNEqQFf2onsQ18GcLTIq+FYXIDrR9GpMEswZeSygiUnQBiSSuwTO cys2AiwzfBOXUaxgVjWyWximDTwoTi83n0+ay+QZ4RsJitVPS62IHVElPl8o+k0U OAM509AwdlUxIoIOMjpcmrDwabCKL2hFfoRBfyXjsJDhXN5lRENYKKX+BDAY9lVy 47zQ/3PHFkd1wCHUnTGGqRQfFZ+YZ458lGZ3h6avagAhHgREjFscbKsyD9OJW9fw FOH8DNHMcHN7RXtW1UxE =y2TC -----END PGP SIGNATURE-----
--- End Message ---
