Debian Bug report logs -
#495758
kwave has rpath to insecure location (/build/buildd/kwave-0.7.10/build/mt:/build/buildd/kwave-0.7.10/build/libgui:/build/buildd/kwave-0.7.10/build/libkwave)
Reported by: Bill Allombert <ballombe@debian.org>
Date: Wed, 20 Aug 2008 09:00:01 UTC
Severity: serious
Tags: security
Found in version kwave/0.7.10-1.1
Fixed in version kwave/0.7.11-1
Done: Ana Beatriz Guerrero Lopez <ana@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Bertrand Songis <bsongis@gmail.com>:
Bug#495758; Package kwave.
(full text, mbox, link).
Acknowledgement sent to Bill Allombert <ballombe@debian.org>:
New Bug report received and forwarded. Copy sent to Bertrand Songis <bsongis@gmail.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kwave
Version: 0.7.10-1.1
Severity: serious
Tags: security
Hello Bertrand,
kwave includes a binary /tmp/kwave//usr/share/apps/kwave/plugins/about
with a rpath pointing to
/build/buildd/kwave-0.7.10/build/mt:/build/buildd/kwave-0.7.10/build/libgui:/build/buildd/kwave-0.7.10/build/libkwave.
This allows an attacker with write access to that directory to
add modified libraries which will be loaded when someone
else run kwave.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Information forwarded to debian-bugs-dist@lists.debian.org, Bertrand Songis <bsongis@gmail.com>:
Bug#495758; Package kwave.
(full text, mbox, link).
Acknowledgement sent to Thomas Eschenbacher <Thomas.Eschenbacher@gmx.de>:
Extra info received and forwarded to list. Copy sent to Bertrand Songis <bsongis@gmail.com>.
(full text, mbox, link).
Message #10 received at 495758@bugs.debian.org (full text, mbox, reply):
I can confirm this, it is reproducable with v0.7.10.
It is reproducably fixed in v0.7.11.
Please upgrade Kwave to v0.7.11 ...
Thomas
Information forwarded to debian-bugs-dist@lists.debian.org, Bertrand Songis <bsongis@gmail.com>:
Bug#495758; Package kwave.
(full text, mbox, link).
Acknowledgement sent to Ana Guerrero <ana@debian.org>:
Extra info received and forwarded to list. Copy sent to Bertrand Songis <bsongis@gmail.com>.
(full text, mbox, link).
Message #15 received at 495758@bugs.debian.org (full text, mbox, reply):
On Sat, Sep 06, 2008 at 11:28:28AM +0200, Thomas Eschenbacher wrote:
> I can confirm this, it is reproducable with v0.7.10.
>
> It is reproducably fixed in v0.7.11.
> Please upgrade Kwave to v0.7.11 ...
>
For the record, i am working in a QA upload for kwave 0.7.11 and yes, this is
fixed there.
Ana
Reply sent to Ana Beatriz Guerrero Lopez <ana@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Bill Allombert <ballombe@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 495758-close@bugs.debian.org (full text, mbox, reply):
Source: kwave
Source-Version: 0.7.11-1
We believe that the bug you reported is fixed in the latest version of
kwave, which is due to be installed in the Debian FTP archive:
kwave_0.7.11-1.diff.gz
to pool/main/k/kwave/kwave_0.7.11-1.diff.gz
kwave_0.7.11-1.dsc
to pool/main/k/kwave/kwave_0.7.11-1.dsc
kwave_0.7.11-1_amd64.deb
to pool/main/k/kwave/kwave_0.7.11-1_amd64.deb
kwave_0.7.11.orig.tar.gz
to pool/main/k/kwave/kwave_0.7.11.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 495758@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <ana@debian.org> (supplier of updated kwave package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 Aug 2008 14:20:52 +0200
Source: kwave
Binary: kwave
Architecture: source amd64
Version: 0.7.11-1
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Ana Beatriz Guerrero Lopez <ana@debian.org>
Description:
kwave - sound editor for KDE
Closes: 367036 419124 482248 495758
Changes:
kwave (0.7.11-1) unstable; urgency=low
.
* QA upload:
Orphan package, Bertrand Songis has been inactive for more than 6 months
and upstream author has tried to reach him for months now without success.
* New upstream version:
- Kwave does not longer use aRts. (Closes: #367036)
- Add several patches provided by upstream:
01-dont-link-arts-when-disabled.diff
02-explicitely-link-libaudiofile.diff
03-kwave-plugins-in-moduledir.diff
04-disable-mp3-per-default.diff
* Add -DCMAKE_SKIP_RPATH=true to cmake configure, fixes rpath issue.
(Closes: #495758)
* Remove leftovers from autotools transition to cmake:
- No more usage of debianrules file.
- Remove relibtoolization bits and cleaninf of debian/rules.
- Remove build depends on: automake1.7, autoconf, autotools-dev, perl,
debianutils.
* Replace build depend on kdemultimedia-dev with kdelibs4-dev.
* Remove dpatch system and add quilt instead.
* Update to Standards-Version 3.8.0, no changes required.
* Add build depend on mawk. Thanks Thomas! (Closes: #482248)
* Update copyright file. (Closes: #419124)
* Update overrides.
* Update to debhelper compatibility 6.
Checksums-Sha1:
26db0a342e595e9e903116ba187db69ac50b2a75 1234 kwave_0.7.11-1.dsc
7760b8305ee79b78e146ca4a2cad44cca796b5bf 2824866 kwave_0.7.11.orig.tar.gz
57b68f6ee5fc4c255d691d22069aba0204b039df 14292 kwave_0.7.11-1.diff.gz
9cc66c85b3b4d4800f27384773b37aec24d44647 3257026 kwave_0.7.11-1_amd64.deb
Checksums-Sha256:
67b51526e5ccc9f953dd7e830584fcfee5da415fd29015ae250b42ba9bb975ed 1234 kwave_0.7.11-1.dsc
2a5b136b6ef650f013821c364fc40fe90096cebe93ec212a29f60a73b211a6f2 2824866 kwave_0.7.11.orig.tar.gz
44332404d58281403c87e9f15ce030a5df356c2bace3f62671553d30467bc892 14292 kwave_0.7.11-1.diff.gz
ec8b50742e6c82d4d4fa8ec4fcd87e8acda5e0befb097421e67708763230ec3d 3257026 kwave_0.7.11-1_amd64.deb
Files:
826623832095e5f317ae4ae23534397d 1234 kde optional kwave_0.7.11-1.dsc
1becb916484b9c5136b336c4731080b4 2824866 kde optional kwave_0.7.11.orig.tar.gz
45a729b5959462150d38cbebc338544a 14292 kde optional kwave_0.7.11-1.diff.gz
257b2ec1f3f90d94a699167be977685d 3257026 kde optional kwave_0.7.11-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Signed by Ana Guerrero
iEYEARECAAYFAkjGcaAACgkQn3j4POjENGEZRACfclxvB2C0AEzdu6Sfq1FEXBZ2
0JsAn0DDVE/p65AyqxqDsD76I1A+t355
=rOQH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Oct 2008 07:33:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 06:30:38 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.