Debian Bug report logs - #598287
dropbox: CVE-2010-3354: insecure library loading

version graph

Package: dropbox; Maintainer for dropbox is (unknown);

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:18 UTC

Severity: important

Tags: security

Found in version dropbox/0.7.110-1

Fixed in version dropbox/0.8.107-1

Done: Ivan Borzenkov <ivan1986@list.ru>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ivan Borzenkov <ivan1986@list.ru>:
Bug#598287; Package dropbox. (Tue, 28 Sep 2010 04:24:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Ivan Borzenkov <ivan1986@list.ru>. (Tue, 28 Sep 2010 04:24:21 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: dropbox: CVE-2010-3354: insecure library loading
Date: Tue, 28 Sep 2010 04:21:30 +0000
Package: dropbox
Version: 0.7.110-1+b2
Severity: important
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/lib/dropbox/dropboxd line 9:
LD_LIBRARY_PATH=$PAR:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3354. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

I've already tried to contact upstream via their tickets system,
without response so far.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3354
[1] http://security-tracker.debian.org/tracker/CVE-2010-3354

Sincerely,
Raphael Geissert




Reply sent to Ivan Borzenkov <ivan1986@list.ru>:
You have taken responsibility. (Tue, 28 Sep 2010 06:51:07 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Tue, 28 Sep 2010 06:51:07 GMT) Full text and rfc822 format available.

Message #10 received at 598287-close@bugs.debian.org (full text, mbox):

From: Ivan Borzenkov <ivan1986@list.ru>
To: 598287-close@bugs.debian.org
Subject: Bug#598287: fixed in dropbox 0.8.107-1
Date: Tue, 28 Sep 2010 06:47:32 +0000
Source: dropbox
Source-Version: 0.8.107-1

We believe that the bug you reported is fixed in the latest version of
dropbox, which is due to be installed in the Debian FTP archive:

dropbox_0.8.107-1.debian.tar.gz
  to non-free/d/dropbox/dropbox_0.8.107-1.debian.tar.gz
dropbox_0.8.107-1.dsc
  to non-free/d/dropbox/dropbox_0.8.107-1.dsc
dropbox_0.8.107-1_amd64.deb
  to non-free/d/dropbox/dropbox_0.8.107-1_amd64.deb
dropbox_0.8.107.orig-amd64.tar.bz2
  to non-free/d/dropbox/dropbox_0.8.107.orig-amd64.tar.bz2
dropbox_0.8.107.orig-i386.tar.bz2
  to non-free/d/dropbox/dropbox_0.8.107.orig-i386.tar.bz2
dropbox_0.8.107.orig.tar.bz2
  to non-free/d/dropbox/dropbox_0.8.107.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598287@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ivan Borzenkov <ivan1986@list.ru> (supplier of updated dropbox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sun, 19 Sep 2010 01:48:36 +0400
Source: dropbox
Binary: dropbox
Architecture: source amd64
Version: 0.8.107-1
Distribution: unstable
Urgency: low
Maintainer: Ivan Borzenkov <ivan1986@list.ru>
Changed-By: Ivan Borzenkov <ivan1986@list.ru>
Description: 
 dropbox    - secure backup, sync and sharing util
Closes: 592961 598287
Changes: 
 dropbox (0.8.107-1) unstable; urgency=low
 .
   * New upstream release
     0.8.107:
     - Fix issue when deleting files under short paths on the web interface.
     - Fix possible infinite loop when Moving Dropbox.
     - Support Debian style alternatives for web browser.
     - Other smaller fixes
 .
     0.8.106:
     - Better syslog for certain errors on Linux and OSX.
     - Small UI fixes.
     - Other smaller fixes
 .
     0.8.105:
     - Fix regression in 0.8.104 that would cause Dropbox to redownload blocks.
     - Other smaller fixes
 .
     0.8.104:
     - Fix rare hangs when Dropbox is syncing.
   * does not crash after start (Closes: #592961)
   * remove dropboxd (Closes: #598287)
Checksums-Sha1: 
 7ecc5d6418eb3da1a7dac2f0bbf73d19edf818a9 1715 dropbox_0.8.107-1.dsc
 d0fdd0a6f94ee6ea2e14a6134e0aff6e1b245c40 14491007 dropbox_0.8.107.orig-amd64.tar.bz2
 7a8bdcab939bd01e31c7c64b538dbcbb830270a9 13657093 dropbox_0.8.107.orig-i386.tar.bz2
 778c617f5a93de6905189cbd02d1d2d24ae112dd 26926 dropbox_0.8.107.orig.tar.bz2
 17fd8d4a7a133d031a1262dad9e61e3b58e4ccc4 8627 dropbox_0.8.107-1.debian.tar.gz
 a2781f6607516ed9951ab50873683e54797c48ac 14861252 dropbox_0.8.107-1_amd64.deb
Checksums-Sha256: 
 4fea7876c87b7eec25a18b09abf7edb29e508fe4194e36dfc8e27f56bad3b351 1715 dropbox_0.8.107-1.dsc
 624c5ea473653cd2053cc5c6ff6ab3ce53e17e3116877e8912659e1e7e3cd3bb 14491007 dropbox_0.8.107.orig-amd64.tar.bz2
 38cd9438a25d4418f2adde7171a9bc0d1490979b83e2b5b7b2c30a6b4451d6ac 13657093 dropbox_0.8.107.orig-i386.tar.bz2
 2ad465546af6f28e04e1ea415cbf1d46d013fba6d8b7e35eda3abe8bad5dc559 26926 dropbox_0.8.107.orig.tar.bz2
 d794ccec330437f4d694d33e943de1d021cc14cedc4435d85e6130e2b6f47311 8627 dropbox_0.8.107-1.debian.tar.gz
 89fddef789c7adbecc8e36889f6aa3b133c0732f5de8dd0bb5df6a659cfb8530 14861252 dropbox_0.8.107-1_amd64.deb
Files: 
 81f5c0bdf3e6d551cc7fcdf22ba6a37d 1715 non-free/net extra dropbox_0.8.107-1.dsc
 08d27c0dd55c1780ea8967f2070cb247 14491007 non-free/net extra dropbox_0.8.107.orig-amd64.tar.bz2
 c88cbb79d1e7c06531442a8a34a1f048 13657093 non-free/net extra dropbox_0.8.107.orig-i386.tar.bz2
 ae7adb8529a4df2bb95002e7379490a3 26926 non-free/net extra dropbox_0.8.107.orig.tar.bz2
 dea510ce2a25f32f2ebed47897a0a179 8627 non-free/net extra dropbox_0.8.107-1.debian.tar.gz
 cfaaec90b52bed6fb2042b9ad58495ad 14861252 non-free/net extra dropbox_0.8.107-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkyhjBEACgkQq4wAz/jiZTfHJACdEAYcOMLmXZy0aPVKMpj7yghK
tjoAoKMVO1J46HcXoQtSeOB7teixoe7n
=kre9
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Oct 2010 07:38:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:35:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.