Debian Bug report logs - #598288
ember: CVE-2010-3355: insecure library loading

version graph

Package: ember; Maintainer for ember is Debian Games Team <pkg-games-devel@lists.alioth.debian.org>; Source for ember is src:ember.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:21 UTC

Severity: grave

Tags: patch, security

Found in version ember/0.5.7-1

Fixed in version ember/0.5.7-1.1

Done: Etienne Millon <etienne.millon@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Koch <konqueror@gmx.de>:
Bug#598288; Package ember. (Tue, 28 Sep 2010 04:24:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Michael Koch <konqueror@gmx.de>. (Tue, 28 Sep 2010 04:24:24 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: ember: CVE-2010-3355: insecure library loading
Date: Tue, 28 Sep 2010 04:21:34 +0000
Package: ember
Version: 0.5.7-1+b1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/games/ember line 60:
LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3355. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3355
[1] http://security-tracker.debian.org/tracker/CVE-2010-3355

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Koch <konqueror@gmx.de>:
Bug#598288; Package ember. (Mon, 11 Oct 2010 13:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Michael Koch <konqueror@gmx.de>. (Mon, 11 Oct 2010 13:51:03 GMT) Full text and rfc822 format available.

Message #10 received at 598288@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598288@bugs.debian.org
Subject: Patch for CVE-2010-3355
Date: Mon, 11 Oct 2010 15:46:18 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is a NMU patch that fixes this issue.

Regards,

-- 
Etienne Millon
[ember-CVE-2010-3355.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Etienne Millon <etienne.millon@gmail.com> to control@bugs.debian.org. (Mon, 11 Oct 2010 13:57:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Koch <konqueror@gmx.de>:
Bug#598288; Package ember. (Fri, 15 Oct 2010 22:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Michael Koch <konqueror@gmx.de>. (Fri, 15 Oct 2010 22:30:03 GMT) Full text and rfc822 format available.

Message #17 received at 598288@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598288@bugs.debian.org
Subject: Bug#598288: Intent to NMU: grave, security (ember: CVE-2010-3355: insecure library loading)
Date: Sat, 16 Oct 2010 01:26:54 +0300
I have some free time and I am offering to help. Please let me know if
this bug is already been worked on or if it's okay to NMU the package.

Jari




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Koch <konqueror@gmx.de>:
Bug#598288; Package ember. (Sun, 24 Oct 2010 17:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Michael Koch <konqueror@gmx.de>. (Sun, 24 Oct 2010 17:57:07 GMT) Full text and rfc822 format available.

Message #22 received at 598288@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598288@bugs.debian.org
Subject: ember: diff for NMU version 0.5.7-1.1
Date: Sun, 24 Oct 2010 19:55:48 +0200
[Message part 1 (text/plain, inline)]
tags 598288 + pending
thanks

Dear maintainer,

I've prepared an NMU for ember (versioned as 0.5.7-1.1) and uploaded
it to mentors.d.n at the following address :

http://mentors.debian.net/debian/pool/main/e/ember/ember_0.5.7-1.1.dsc

Regards.

-- 
Etienne Millon
[ember-0.5.7-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Etienne Millon <etienne.millon@gmail.com> to control@bugs.debian.org. (Sun, 24 Oct 2010 17:57:09 GMT) Full text and rfc822 format available.

Reply sent to Etienne Millon <etienne.millon@gmail.com>:
You have taken responsibility. (Wed, 27 Oct 2010 21:51:03 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 27 Oct 2010 21:51:03 GMT) Full text and rfc822 format available.

Message #29 received at 598288-close@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598288-close@bugs.debian.org
Subject: Bug#598288: fixed in ember 0.5.7-1.1
Date: Wed, 27 Oct 2010 21:47:13 +0000
Source: ember
Source-Version: 0.5.7-1.1

We believe that the bug you reported is fixed in the latest version of
ember, which is due to be installed in the Debian FTP archive:

ember_0.5.7-1.1.diff.gz
  to main/e/ember/ember_0.5.7-1.1.diff.gz
ember_0.5.7-1.1.dsc
  to main/e/ember/ember_0.5.7-1.1.dsc
ember_0.5.7-1.1_amd64.deb
  to main/e/ember/ember_0.5.7-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598288@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Etienne Millon <etienne.millon@gmail.com> (supplier of updated ember package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Oct 2010 17:40:16 +0200
Source: ember
Binary: ember
Architecture: source amd64
Version: 0.5.7-1.1
Distribution: unstable
Urgency: high
Maintainer: Michael Koch <konqueror@gmx.de>
Changed-By: Etienne Millon <etienne.millon@gmail.com>
Description: 
 ember      - 3D client of the WorldForge project
Closes: 598288
Changes: 
 ember (0.5.7-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * ember, ember.in
     - Proper escape of LD_LIBRARY_PATH, fixes CVE-2010-3355 "insecure library
       loading" (grave, security; Closes: #598288)
Checksums-Sha1: 
 fbec9f4f4321f018d910d43049ed5756ee29acbe 1316 ember_0.5.7-1.1.dsc
 a6df4c14f59833dced8f7245db69a63bddbb0e6e 62296 ember_0.5.7-1.1.diff.gz
 51ed069fcd84d09545880bf58a8e43e3d7622c7e 2237576 ember_0.5.7-1.1_amd64.deb
Checksums-Sha256: 
 0b63d5d363b56667d4ccfd741e398bfeef11724dc65d0e666a0ebea8899c1da8 1316 ember_0.5.7-1.1.dsc
 82387d1031970df84fd103b9fc0bdc4be7feca19da34e120e8ac2e33f666ca35 62296 ember_0.5.7-1.1.diff.gz
 416c1dd1713f5832b101bf8804b000472c016a2ae6544c5d6904f9e642c12d65 2237576 ember_0.5.7-1.1_amd64.deb
Files: 
 96c99f434a46cf6ff63fb215b647d16c 1316 games optional ember_0.5.7-1.1.dsc
 d043bdd2313ea9e439fda266990b9f72 62296 games optional ember_0.5.7-1.1.diff.gz
 680c0e55a43841b2764535304f1f029f 2237576 games optional ember_0.5.7-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzIm2YACgkQLARVQsm1Xazr7QCeMSGAdJbYr2SwfqgpJpJBvXCo
GdMAmwUCrTopen1SOpBz7KubjRgJdojI
=D+y6
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Nov 2010 07:34:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:35:09 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.