* Moritz Muehlenhoff <j...@inutil.org> wrote:
> On Mon, Nov 15, 2010 at 05:13:22PM -0500, Jon Bernard wrote:
> > * Moritz Muehlenhoff <j...@inutil.org> wrote:
> > > On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> > > > The following message is a courtesy copy of an article
> > > > that has been posted to gmane.linux.debian.devel.release as well.
> > > >
> > > > > Julien Cristau <jcris...@debian.org> writes:
> > > > | Newsgroups: gmane.linux.debian.devel.release
> > > > | Subject: Re: Security unblock requests
> > > > | Date: Sat, 23 Oct 2010 15:13:20 +0200
> > > > | Message-ID: <20101023131320.gs3...@radis.liafa.jussieu.fr>
> > > > |
> > > > > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> > > > >
> > > > >> More unblock requests:
> > > > >> ust/0.7-2.1 -> CVE-2010-3386
> > > > >
> > > > > 52 files changed, 3116 insertions(+), 1232 deletions(-)
> > > >
> > > > Need more information. Local check:
> > > >
> > > > $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc
> > > > | lsdiff
> > > > ust-0.7/debian/changelog
> > > > ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
> > > > ust-0.7/debian/patches/series
> > > >
> > > > $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc
> > > > | filterdiff -x '*changelog' | wc -l
> > > > 50
> > >
> > > What is the status? This is still unfixed in Squeeze.
> >
> > Hi Moritz, sorry for the delay. I would prefer to backport the upstream
> > patch for this bug and create a security update for the version in
> > squeeze (version 0.5-1).
> >
> > I belive this is the correct thing to do, but I have never dealt with
> > a security issue in one of my packages going into a release, so I'm
> > a bit nervous about what to do.
> >
> > What is your suggestion on how to proceed?
>
> - Create a Squeeze chroot or use a Squeeze installation
> - apt-get source ust
> - Apply the patch you've referenced
> - Set the version to number to "0.5-1+squeeze1" and the "distribution" to
> "testing"
> - Build and test
> - Send the debdiff to this bug and CC debian-rele...@lists.debian.org for
> review
> - Once acked by them, upload
> - Rejoice
I propose the attached patch for the ust package in squeeze to resolve
this bug. This patch has been prepared for the current version in
squeeze, please let me know what you think. If all looks well, I will
upload.
Cheers
--
Jon
diffstat for ust-0.5 ust-0.5
changelog | 6
patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch | 84
++++++++++
patches/series | 1
3 files changed, 91 insertions(+)
diff -Nru ust-0.5/debian/changelog ust-0.5/debian/changelog
--- ust-0.5/debian/changelog 2010-07-02 11:34:52.000000000 -0400
+++ ust-0.5/debian/changelog 2010-11-30 21:23:43.000000000 -0500
@@ -1,3 +1,9 @@
+ust (0.5-1+squeeze1) testing; urgency=low
+
+ * Backport upstream fix for CVE-2010-3386 (Bug #598309)
+
+ -- Jon Bernard <jbern...@debian.org> Tue, 30 Nov 2010 21:21:25 -0500
+
ust (0.5-1) unstable; urgency=low
* [79cd16] Imported Upstream version 0.5
diff -Nru
ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
---
ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
1969-12-31 19:00:00.000000000 -0500
+++
ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
2010-11-30 21:23:43.000000000 -0500
@@ -0,0 +1,84 @@
+From: Jon Bernard <jbern...@debian.org>
+Date: Tue, 30 Nov 2010 13:40:04 -0500
+Subject: [PATCH] Backport upstream fix for CVE-2010-3386 (Bug #598309)
+
+When there's an empty item on the colon-separated list of
+LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given
+script (usttrace) is executed from a directory where a potential, local,
+attacker can write files to, there's a chance to exploit this bug.
+
+This patch was applied upstream in version 0.8.
+---
+ usttrace | 47 +++++++++++++++++++++++++++++++++++++----------
+ 1 files changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/usttrace b/usttrace
+index dc159f2..5fdb52f 100755
+--- a/usttrace
++++ b/usttrace
+@@ -132,27 +132,54 @@ fi
+
+ if [ "$arg_preload_libust" = "1" ];
+ then
+- if [ -n "${LIBUST_PATH%libust.so}" ] ; then
+- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++ if [ -n "${LIBUST_PATH%libust.so}" ];
++ then
++ if [ -n "$LD_LIBRARY_PATH" ];
++ then
++ export
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++ else
++ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
++ fi
++ fi
++ if [ -n "$LIBUST_PATH" ];
++ then
++ if [ -n "$LD_PRELOAD" ];
++ then
++ export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
++ else
++ export LD_PRELOAD="$LIBUST_PATH"
++ fi
+ fi
+- export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
+ fi
+
+- if [ "$arg_ld_std_ust" = "1" ];
++ if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
+ then
+- if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
+- export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++ if [ -n "$LD_LIBRARY_PATH" ];
++ then
++ export
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++ else
++ export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
+ fi
+ fi
+
+- if [ "$arg_preload_malloc" = "1" ];
++ if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
+ then
+- export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
++ if [ -n "$LD_PRELOAD" ];
++ then
++ export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
++ else
++ export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
++ fi
+ fi
+
+- if [ "$arg_preload_fork" = "1" ];
++ if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
+ then
+- export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
++ if [ -n "$LD_PRELOAD" ];
++ then
++ export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
++ else
++ export LD_PRELOAD="$LIBINTERFORK_PATH"
++ fi
+ fi
+
+ # Execute the command
+--
diff -Nru ust-0.5/debian/patches/series ust-0.5/debian/patches/series
--- ust-0.5/debian/patches/series 2010-07-02 11:34:52.000000000 -0400
+++ ust-0.5/debian/patches/series 2010-11-30 21:23:43.000000000 -0500
@@ -1 +1,2 @@
+0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
info-dir-section.diff
