Your message dated Fri, 22 Oct 2010 06:17:16 +0000 with message-id <e1p9awg-0007bl...@franck.debian.org> and subject line Bug#598309: fixed in ust 0.7-2.1 has caused the Debian Bug report #598309, regarding ust-bin: CVE-2010-3386: insecure library loading to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598309: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598309 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ust-bin Version: 0.7-1 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/usttrace line 136: export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" /usr/bin/usttrace line 144: export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386 [1] http://security-tracker.debian.org/tracker/CVE-2010-3386 Sincerely, Raphael Geissert
--- End Message ---
--- Begin Message ---Source: ust Source-Version: 0.7-2.1 We believe that the bug you reported is fixed in the latest version of ust, which is due to be installed in the Debian FTP archive: libust-dev_0.7-2.1_i386.deb to main/u/ust/libust-dev_0.7-2.1_i386.deb libust0_0.7-2.1_i386.deb to main/u/ust/libust0_0.7-2.1_i386.deb ust-bin_0.7-2.1_i386.deb to main/u/ust/ust-bin_0.7-2.1_i386.deb ust_0.7-2.1.debian.tar.gz to main/u/ust/ust_0.7-2.1.debian.tar.gz ust_0.7-2.1.dsc to main/u/ust/ust_0.7-2.1.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 598...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jari Aalto <jari.aa...@cante.net> (supplier of updated ust package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 18 Oct 2010 18:55:42 +0300 Source: ust Binary: libust0 libust-dev ust-bin Architecture: source i386 Version: 0.7-2.1 Distribution: unstable Urgency: high Maintainer: Jon Bernard <jbern...@debian.org> Changed-By: Jari Aalto <jari.aa...@cante.net> Description: libust-dev - LTTng Userspace Tracer (development) libust0 - LTTng Userspace Tracer (runtime) ust-bin - LTTng Userspace Tracer (utilities) Closes: 598309 Changes: ust (0.7-2.1) unstable; urgency=high . * Non-maintainer upload. * debian/patches - (CVE-2010-3386--bug598309): New. Fix LD_LIBRARY_PATH. Initial patch idea thanks to Etienne Millon <etienne.mil...@gmail.com> (grave, security; Closes: #598309). Checksums-Sha1: 917c741ada4ea069bacbcd786661a9658fd20f63 1818 ust_0.7-2.1.dsc 147d647b578a8dafbcd77d50ada9e0f7a04d0f50 7495 ust_0.7-2.1.debian.tar.gz 7439b1bd951d681ef5092ef8fe2673d62ebcfe0d 120426 libust0_0.7-2.1_i386.deb e55974c99f7c729bf3f0bbc34d4247a3a73cca69 131252 libust-dev_0.7-2.1_i386.deb 16430476f680a156daef226b357a407d642eb320 36168 ust-bin_0.7-2.1_i386.deb Checksums-Sha256: ac989a4e5f05ac8bc7026cdf93e791d63658328941301e58dc63c3ed8bef139a 1818 ust_0.7-2.1.dsc fcbcda4c2e4101a3ada4d6697b198249739149d4d177638858b5b91841fc9157 7495 ust_0.7-2.1.debian.tar.gz 0a4daba7e2704cf23610293b8743884905edfe7b6fadced70c0a949f90ba148c 120426 libust0_0.7-2.1_i386.deb 0b1ca1bfb35d920e27756d07ccf7dfc7fb4a157f3a69858fcf581e52298c0f83 131252 libust-dev_0.7-2.1_i386.deb 3eda0fae7dc2190cf3acf1a30b1a31b22e1a55d02f2c7eef1ff1bb781439825d 36168 ust-bin_0.7-2.1_i386.deb Files: 8251083abec1879fa58729bf9c6a4a7c 1818 libs extra ust_0.7-2.1.dsc 54b8b94ddc80604ba18e3020d91691e1 7495 libs extra ust_0.7-2.1.debian.tar.gz 1cb0578aab98638f60566738d8c4ad3a 120426 libs extra libust0_0.7-2.1_i386.deb f923645e8c5f742a4b6456dd75e2f0d8 131252 libdevel extra libust-dev_0.7-2.1_i386.deb 490bed4b764ebb08e6ece46aeb8930e9 36168 utils extra ust-bin_0.7-2.1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMvoQ3AAoJECHSBYmXSz6Wc+kP/An6Co21wY+dvbTVIrazlmhP DqGSKTJiWa91id+8puQXj6GlDik80Z9dFOzJmEqXeFKKNyNMDu3QaqYYaV5b9Akp F654U7NdGhTJY5oxfvaqqV2QUu+LjnEWWCaYw1p3bE7ituBpEW35I4YGbep95ddq m8FwK7uaNt7YpvK9KVzaWGq0Nw/23TBPuy0Pf2cxdc1Y9QbMBKPdY2VavOEBaMjC 0H9TA+agLsHb9RJcjU4Q+oLt1C72h0RfxmnfJ3qi4QFl7uG62aYpvVXENhHLgane IIZ953MILthjusDTmPzYXM7i0N30+eP3VdESWUroe8orchK8L3iqK5T46JBAK3kw kH6B8k0WhIB5PFCsnKlmDaISXbUWiZS8zODw6/6lBd6c0ZpslsctAwNnRSt4NbYo bJPZ32BNmC+4zAVezYW6my6lOw+NImdKL2e3tjo6g687VbKDA5APw7hUu4O6MGn4 d6na0jm9OYy03gKGwLdyXzK5Sw32tRsdhtjKN2SmjxBKeZmqR+H0c8bgYpJpu5yV ACXbMaZC9MnePUFhD0R6DhqvsMRim+DCYZYVrueGFSt4vBpoudnEnJRl+sVXFKCg eeFXfVpSytaTAhi40m5895kYJopmfglG1QU9Mma4pgp9LWZeCXNHfHqT1snHB3A0 dOkuCv+K7dbvClnXicRx =onzv -----END PGP SIGNATURE-----
--- End Message ---
