Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Tue, 28 Sep 2010 04:24:14 GMT) (full text, mbox, link).
Package: bristol
Version: 0.60.5-1+b1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
Note that there's also a missing slash on the second entry (_usr_/lib.)
This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351
Sincerely,
Raphael Geissert
Source: bristol
Source-Version: 0.60.6-2
We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:
bristol-data_0.60.6-2_all.deb
to main/b/bristol/bristol-data_0.60.6-2_all.deb
bristol_0.60.6-2.debian.tar.gz
to main/b/bristol/bristol_0.60.6-2.debian.tar.gz
bristol_0.60.6-2.dsc
to main/b/bristol/bristol_0.60.6-2.dsc
bristol_0.60.6-2_amd64.deb
to main/b/bristol/bristol_0.60.6-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 598285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated bristol package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 29 Sep 2010 12:03:25 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.6-2
Distribution: experimental
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description:
bristol - vintage synthesizer emulator
bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes:
bristol (0.60.6-2) experimental; urgency=low
.
* Add patch to prevent insecure library loading;
Closes: #598285, CVE-2010-3351
* Add local-options file.
Checksums-Sha1:
7669fa9394d9c355e86aa5dc95d7bd86dbc0991f 1386 bristol_0.60.6-2.dsc
d7664ed696708c5041903292fa2e31fc4db690c8 7681 bristol_0.60.6-2.debian.tar.gz
4c1c740e3a7fd80a72a2a00f96efbae684b20e94 927750 bristol_0.60.6-2_amd64.deb
3c01d806c15882318c60911d9fcd94d0a6a1625c 2837258 bristol-data_0.60.6-2_all.deb
Checksums-Sha256:
d318897c7801a502ee6978188b0465d46916750223c718c484a1958a88805794 1386 bristol_0.60.6-2.dsc
d00054983c6642fcff1149c49057059452167561eacf218fa2053814178fda8a 7681 bristol_0.60.6-2.debian.tar.gz
de4642c894aa2712272b16bb89b668c1916649cd7841dffce68736168fcbbfcd 927750 bristol_0.60.6-2_amd64.deb
89f3fd01f8801db7e54d22288227d416e3f90965fa69dc13a2dbb90ad6b7b1d0 2837258 bristol-data_0.60.6-2_all.deb
Files:
569d0ecb288452c7cfd994ae3ea05578 1386 sound optional bristol_0.60.6-2.dsc
a77accab6e648c854bf788c1b391ba46 7681 sound optional bristol_0.60.6-2.debian.tar.gz
d8ac3c70bbce2c152e6cab578766d535 927750 sound optional bristol_0.60.6-2_amd64.deb
f0951ceb1ace630f4e86698baee4473a 2837258 sound optional bristol-data_0.60.6-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjEE8ACgkQRdSMfNz8P9DLqwCfcjwO6u3jK/MjY7R9ShsOND/D
E1cAn3jmmI5+v2TVINcQ4LwQnSkhRtkP
=c4pu
-----END PGP SIGNATURE-----
Reply sent
to Alessio Treglia <alessio@debian.org>:
You have taken responsibility.
(Wed, 29 Sep 2010 13:33:12 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Sep 2010 13:33:12 GMT) (full text, mbox, link).
Source: bristol
Source-Version: 0.60.5-2
We believe that the bug you reported is fixed in the latest version of
bristol, which is due to be installed in the Debian FTP archive:
bristol-data_0.60.5-2_all.deb
to main/b/bristol/bristol-data_0.60.5-2_all.deb
bristol_0.60.5-2.diff.gz
to main/b/bristol/bristol_0.60.5-2.diff.gz
bristol_0.60.5-2.dsc
to main/b/bristol/bristol_0.60.5-2.dsc
bristol_0.60.5-2_amd64.deb
to main/b/bristol/bristol_0.60.5-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 598285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated bristol package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 29 Sep 2010 14:54:22 +0200
Source: bristol
Binary: bristol bristol-data
Architecture: source amd64 all
Version: 0.60.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description:
bristol - vintage synthesizer emulator
bristol-data - vintage synthesizer emulator (data files)
Closes: 598285
Changes:
bristol (0.60.5-2) unstable; urgency=high
.
* Add patch to solve security issue CVE-2010-3351:
- Fix insecure library loading (Closes: #598285);
bump urgency to high.
* Add debian/gbp.conf file.
* Bump Standards.
Checksums-Sha1:
4e801cbcca484b9dc0a6cf5e0f1359d09ffbdc3e 1412 bristol_0.60.5-2.dsc
feff492d1e2f98a603b822224d534ff6b3e06ccc 7064 bristol_0.60.5-2.diff.gz
775647f00f26966bb48f9e81827bb9828415dcba 926276 bristol_0.60.5-2_amd64.deb
bebc4905e5605a094d12335756e7ea57c2fdfbc2 2836038 bristol-data_0.60.5-2_all.deb
Checksums-Sha256:
d605ee10509fecb99ec199fd7fa5f6dff7bf4ed855f08bb5e0c968d3022661be 1412 bristol_0.60.5-2.dsc
ceec75443b8b1d42fc937e87c9b9d8794f7a73a9e1736f67fa0598dcc374e991 7064 bristol_0.60.5-2.diff.gz
a43d53f3f915983a735b2c7747d307d5813ef7d45e071f6a01e512ed776c2506 926276 bristol_0.60.5-2_amd64.deb
9c586c0bcba1213edbbd0de3ac0930bbff9ba22064dbf2d9c7ec503bac98d68f 2836038 bristol-data_0.60.5-2_all.deb
Files:
687035eb38c0409dd018b5c93eea63de 1412 sound optional bristol_0.60.5-2.dsc
715577ed3f68306753cb2312d809b3c3 7064 sound optional bristol_0.60.5-2.diff.gz
2745fc9b42f3f6acb5f69044fc862abc 926276 sound optional bristol_0.60.5-2_amd64.deb
b00a5a5b07404180ed5df7802438006b 2836038 sound optional bristol-data_0.60.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyjO+wACgkQRdSMfNz8P9Cp1wCdHVQl8/qnW5pkp+JE1UL56zk3
egIAmQG4zhXdXagMIbwuMD9KLtkr9tbg
=iKm2
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 31 Oct 2010 07:34:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.