Debian Bug report logs - #598297
mistelix: CVE-2010-3365: insecure library loading

version graph

Package: mistelix; Maintainer for mistelix is Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>; Source for mistelix is src:mistelix.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:50 UTC

Severity: grave

Tags: security

Found in version mistelix/0.31-1

Fixed in version mistelix/0.31-2

Done: Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>:
Bug#598297; Package mistelix. (Tue, 28 Sep 2010 04:24:52 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>. (Tue, 28 Sep 2010 04:24:53 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: mistelix: CVE-2010-3365: insecure library loading
Date: Tue, 28 Sep 2010 04:22:17 +0000
Package: mistelix
Version: 0.31-1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/mistelix line 8:
export LD_LIBRARY_PATH=$libdir/mistelix/:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3365. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3365
[1] http://security-tracker.debian.org/tracker/CVE-2010-3365

Sincerely,
Raphael Geissert




Reply sent to Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>:
You have taken responsibility. (Sun, 03 Oct 2010 09:51:12 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 03 Oct 2010 09:51:12 GMT) Full text and rfc822 format available.

Message #10 received at 598297-close@bugs.debian.org (full text, mbox):

From: Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>
To: 598297-close@bugs.debian.org
Subject: Bug#598297: fixed in mistelix 0.31-2
Date: Sun, 03 Oct 2010 09:47:07 +0000
Source: mistelix
Source-Version: 0.31-2

We believe that the bug you reported is fixed in the latest version of
mistelix, which is due to be installed in the Debian FTP archive:

mistelix_0.31-2.diff.gz
  to main/m/mistelix/mistelix_0.31-2.diff.gz
mistelix_0.31-2.dsc
  to main/m/mistelix/mistelix_0.31-2.dsc
mistelix_0.31-2_amd64.deb
  to main/m/mistelix/mistelix_0.31-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598297@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com> (supplier of updated mistelix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Sep 2010 12:58:25 +0200
Source: mistelix
Binary: mistelix
Architecture: source amd64
Version: 0.31-2
Distribution: unstable
Urgency: high
Maintainer: Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>
Changed-By: Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>
Description: 
 mistelix   - DVD authoring and slideshow creation application
Closes: 598297
Changes: 
 mistelix (0.31-2) unstable; urgency=high
 .
   * Fix insecure LD_LIBRARY_PATH setting (Closes: #598297).
     CVE-2010-3365.
Checksums-Sha1: 
 6677aa6a950442fa9b3517de8175178d11945b80 1843 mistelix_0.31-2.dsc
 54790dcbefb5332b167a157aabac3de186424463 5918 mistelix_0.31-2.diff.gz
 36a5a0e64342890ef29cf6b97a1357d34e601815 1212590 mistelix_0.31-2_amd64.deb
Checksums-Sha256: 
 0e2966830ccad2bc7cf858e81abb7cfb7e3c17ad74f02c2f11b1195587628798 1843 mistelix_0.31-2.dsc
 e0742b036ef463b969f0c531ec073585380687577e8776f8a7b8696df92bacb4 5918 mistelix_0.31-2.diff.gz
 d6507f4b93fad119ecbe8898c9b44831f06f38f21e15b24f63d7601c236a2f47 1212590 mistelix_0.31-2_amd64.deb
Files: 
 6a0c10064ab6c9cdebf88cc58d68e3fc 1843 graphics optional mistelix_0.31-2.dsc
 82bf4f7017e74838cd3f5215cc547c56 5918 graphics optional mistelix_0.31-2.diff.gz
 ae1e289788db48432637193c571e4511 1212590 graphics optional mistelix_0.31-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBCAAGBQJMqE5CAAoJEMkPnLkOH60MXoAIALHFJV3pDXvhG4uTCa2wbd5M
BjRwPIGEnSd2EoMQeIsJVLNZYWfnJDn6Qg3raB/XPuc0r0pPql22VvfefBSMz7uq
pQCQPGbcXj3rHBpbv5kTJrDo4rH9BjBCT7b1T+Stg/pp2M31yonk46bjDIB6lUSt
hKRKilCQHaQOBAkd0jpPc7F5FpsTxrhHMueIl9Ql+rdbqrbEAlofNxLHCQlmNe6O
AtWxjD/lej/WysvP4K+/Bjg0CCVymnrKuQy2NEM5KUaraXIqetV3v8kLmxm5oslk
CC8egbeW8XINlqwqH/e2nZfWHRcEUy4JmrunglP1blrS+8PXmD15VjWWh91Hcu4=
=9J5Z
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>:
Bug#598297; Package mistelix. (Fri, 05 Nov 2010 06:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jordi Mas <jmas@softcatala.org>:
Extra info received and forwarded to list. Copy sent to Siegfried-Angel Gevatter Pujals <rainct@ubuntu.com>. (Fri, 05 Nov 2010 06:48:03 GMT) Full text and rfc822 format available.

Message #15 received at 598297@bugs.debian.org (full text, mbox):

From: Jordi Mas <jmas@softcatala.org>
To: 598297@bugs.debian.org
Subject: Additional variables set
Date: Fri, 05 Nov 2010 07:43:33 +0100
Thanks a lot for the bug report Raphael

We fixed this in upstream.

The question is if we have to do a similar path for DYLD_LIBRARY_PATH or 
other variables also set by this script:

http://git.gnome.org/browse/mistelix/tree/src/mistelix.in

Thanks,

Jordi Mas
jmas@softcatala.org




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 03 Dec 2010 07:37:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:24:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.