Debian Bug report logs - #598285
bristol: CVE-2010-3351: insecure library loading

version graph

Package: bristol; Maintainer for bristol is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for bristol is src:bristol.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:11 UTC

Severity: grave

Tags: security, sid, squeeze, upstream

Found in version bristol/0.60.5-1

Fixed in versions bristol/0.60.6-2, bristol/0.60.5-2

Done: Alessio Treglia <alessio@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/support/tracker.php?aid=3077160

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#598285; Package bristol. (Tue, 28 Sep 2010 04:24:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 04:24:14 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: bristol: CVE-2010-3351: insecure library loading
Date: Tue, 28 Sep 2010 04:21:22 +0000
Package: bristol
Version: 0.60.5-1+b1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Note that there's also a missing slash on the second entry (_usr_/lib.)

This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351

Sincerely,
Raphael Geissert




Set Bug forwarded-to-address to 'https://sourceforge.net/support/tracker.php?aid=3077160'. Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 10:57:04 GMT) Full text and rfc822 format available.

Added tag(s) squeeze, sid, and upstream. Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 10:57:05 GMT) Full text and rfc822 format available.

Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Wed, 29 Sep 2010 10:21:03 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2010 10:21:03 GMT) Full text and rfc822 format available.

Message #14 received at 598285-close@bugs.debian.org (full text, mbox):

From: Alessio Treglia <alessio@debian.org>
To: 598285-close@bugs.debian.org
Subject: Bug#598285: fixed in bristol 0.60.6-2
Date: Wed, 29 Sep 2010 10:17:26 +0000
Source: bristol
Source-Version: 0.60.6-2

We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:

bristol-data_0.60.6-2_all.deb
  to main/b/bristol/bristol-data_0.60.6-2_all.deb
bristol_0.60.6-2.debian.tar.gz
  to main/b/bristol/bristol_0.60.6-2.debian.tar.gz
bristol_0.60.6-2.dsc
  to main/b/bristol/bristol_0.60.6-2.dsc
bristol_0.60.6-2_amd64.deb
  to main/b/bristol/bristol_0.60.6-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated bristol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 12:03:25 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.6-2
Distribution: experimental
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description: 
 bristol    - vintage synthesizer emulator
 bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes: 
 bristol (0.60.6-2) experimental; urgency=low
 .
   * Add patch to prevent insecure library loading;
     Closes: #598285, CVE-2010-3351
   * Add local-options file.
Checksums-Sha1: 
 7669fa9394d9c355e86aa5dc95d7bd86dbc0991f 1386 bristol_0.60.6-2.dsc
 d7664ed696708c5041903292fa2e31fc4db690c8 7681 bristol_0.60.6-2.debian.tar.gz
 4c1c740e3a7fd80a72a2a00f96efbae684b20e94 927750 bristol_0.60.6-2_amd64.deb
 3c01d806c15882318c60911d9fcd94d0a6a1625c 2837258 bristol-data_0.60.6-2_all.deb
Checksums-Sha256: 
 d318897c7801a502ee6978188b0465d46916750223c718c484a1958a88805794 1386 bristol_0.60.6-2.dsc
 d00054983c6642fcff1149c49057059452167561eacf218fa2053814178fda8a 7681 bristol_0.60.6-2.debian.tar.gz
 de4642c894aa2712272b16bb89b668c1916649cd7841dffce68736168fcbbfcd 927750 bristol_0.60.6-2_amd64.deb
 89f3fd01f8801db7e54d22288227d416e3f90965fa69dc13a2dbb90ad6b7b1d0 2837258 bristol-data_0.60.6-2_all.deb
Files: 
 569d0ecb288452c7cfd994ae3ea05578 1386 sound optional bristol_0.60.6-2.dsc
 a77accab6e648c854bf788c1b391ba46 7681 sound optional bristol_0.60.6-2.debian.tar.gz
 d8ac3c70bbce2c152e6cab578766d535 927750 sound optional bristol_0.60.6-2_amd64.deb
 f0951ceb1ace630f4e86698baee4473a 2837258 sound optional bristol-data_0.60.6-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyjEE8ACgkQRdSMfNz8P9DLqwCfcjwO6u3jK/MjY7R9ShsOND/D
E1cAn3jmmI5+v2TVINcQ4LwQnSkhRtkP
=c4pu
-----END PGP SIGNATURE-----





Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Wed, 29 Sep 2010 13:33:12 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2010 13:33:12 GMT) Full text and rfc822 format available.

Message #19 received at 598285-close@bugs.debian.org (full text, mbox):

From: Alessio Treglia <alessio@debian.org>
To: 598285-close@bugs.debian.org
Subject: Bug#598285: fixed in bristol 0.60.5-2
Date: Wed, 29 Sep 2010 13:32:10 +0000
Source: bristol
Source-Version: 0.60.5-2

We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:

bristol-data_0.60.5-2_all.deb
  to main/b/bristol/bristol-data_0.60.5-2_all.deb
bristol_0.60.5-2.diff.gz
  to main/b/bristol/bristol_0.60.5-2.diff.gz
bristol_0.60.5-2.dsc
  to main/b/bristol/bristol_0.60.5-2.dsc
bristol_0.60.5-2_amd64.deb
  to main/b/bristol/bristol_0.60.5-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated bristol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 14:54:22 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description: 
 bristol    - vintage synthesizer emulator
 bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes: 
 bristol (0.60.5-2) unstable; urgency=high
 .
   * Add patch to solve security issue CVE-2010-3351:
     - Fix insecure library loading (Closes: #598285);
       bump urgency to high.
   * Add debian/gbp.conf file.
   * Bump Standards.
Checksums-Sha1: 
 4e801cbcca484b9dc0a6cf5e0f1359d09ffbdc3e 1412 bristol_0.60.5-2.dsc
 feff492d1e2f98a603b822224d534ff6b3e06ccc 7064 bristol_0.60.5-2.diff.gz
 775647f00f26966bb48f9e81827bb9828415dcba 926276 bristol_0.60.5-2_amd64.deb
 bebc4905e5605a094d12335756e7ea57c2fdfbc2 2836038 bristol-data_0.60.5-2_all.deb
Checksums-Sha256: 
 d605ee10509fecb99ec199fd7fa5f6dff7bf4ed855f08bb5e0c968d3022661be 1412 bristol_0.60.5-2.dsc
 ceec75443b8b1d42fc937e87c9b9d8794f7a73a9e1736f67fa0598dcc374e991 7064 bristol_0.60.5-2.diff.gz
 a43d53f3f915983a735b2c7747d307d5813ef7d45e071f6a01e512ed776c2506 926276 bristol_0.60.5-2_amd64.deb
 9c586c0bcba1213edbbd0de3ac0930bbff9ba22064dbf2d9c7ec503bac98d68f 2836038 bristol-data_0.60.5-2_all.deb
Files: 
 687035eb38c0409dd018b5c93eea63de 1412 sound optional bristol_0.60.5-2.dsc
 715577ed3f68306753cb2312d809b3c3 7064 sound optional bristol_0.60.5-2.diff.gz
 2745fc9b42f3f6acb5f69044fc862abc 926276 sound optional bristol_0.60.5-2_amd64.deb
 b00a5a5b07404180ed5df7802438006b 2836038 sound optional bristol-data_0.60.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyjO+wACgkQRdSMfNz8P9Cp1wCdHVQl8/qnW5pkp+JE1UL56zk3
egIAmQG4zhXdXagMIbwuMD9KLtkr9tbg
=iKm2
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Oct 2010 07:34:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 23:00:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.