Debian Bug report logs - #598299
mono-debugger: CVE-2010-3369: insecure library loading

version graph

Package: mono-debugger; Maintainer for mono-debugger is Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>;

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:56 UTC

Severity: grave

Tags: patch, security

Found in version mono-debugger/2.4.3-2

Fixed in version mono-debugger/2.6.3-2.1

Done: Jari Aalto <jari.aalto@cante.net>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.novell.com/show_bug.cgi?id=647353

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Tue, 28 Sep 2010 04:24:59 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Tue, 28 Sep 2010 04:24:59 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: mono-debugger: CVE-2010-3369: insecure library loading
Date: Tue, 28 Sep 2010 04:22:32 +0000
Package: mono-debugger
Version: 2.4.3-2
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/mdb-symbolreader line 2:
export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}"
/usr/bin/mdb line 2:
export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3369. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3369
[1] http://security-tracker.debian.org/tracker/CVE-2010-3369

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Sat, 16 Oct 2010 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to jari.aalto@cante.net:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Sat, 16 Oct 2010 14:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 598299@bugs.debian.org (full text, mbox):

From: jari.aalto@cante.net
To: 598299@bugs.debian.org
Subject: Bug#598299 mono-debugger: NMU diff for 2.6.3-2.1 (Intent to NMU)
Date: Sat, 16 Oct 2010 17:52:04 +0300
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598299.
See the debian/patches directory for the important fixes.

Please let me know if it's ok to proceed with NMU.

Thank you for maintaining the package,
Jari Aalto

[1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
[2] http://dep.debian.net/deps/dep1.html

lsdiff(1) of changes:

    mono-debugger-2.6.3/debian/changelog
    mono-debugger-2.6.3/build/mdb.in
    mono-debugger-2.6.3/build/mdb-symbolreader.in

[mono-debugger_2.6.3-2--2.6.3-2.1.deb.diff (text/x-diff, inline)]
diffstat for mono-debugger_2.6.3-2 mono-debugger_2.6.3-2.1

 build/mdb-symbolreader.in            |    2 +-
 build/mdb.in                         |    2 +-
 mono-debugger-2.6.3/debian/changelog |   11 +++++++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff -u mono-debugger-2.6.3/debian/changelog mono-debugger-2.6.3/debian/changelog
--- mono-debugger-2.6.3/debian/changelog
+++ mono-debugger-2.6.3/debian/changelog
@@ -1,3 +1,14 @@
+mono-debugger (2.6.3-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+    - Fix for CVE-2010-3369 (grave, security; Closes: #598299).
+  * build/mdb-symbolreader.in
+    - (LD_LIBRARY_PATH): Use only if non-empty.
+  * build/mdb.in
+    - (LD_LIBRARY_PATH): Use only if non-empty.
+
+ -- Jari Aalto <jari.aalto@cante.net>  Sat, 16 Oct 2010 17:46:16 +0300
+
 mono-debugger (2.6.3-2) unstable; urgency=low
 
   * Upload to Debian Unstable
only in patch2:
unchanged:
--- mono-debugger-2.6.3.orig/build/mdb.in
+++ mono-debugger-2.6.3/build/mdb.in
@@ -1,3 +1,3 @@
 #!/bin/sh
-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 exec @mono@ --debug @twodir@/mdb.exe $*
only in patch2:
unchanged:
--- mono-debugger-2.6.3.orig/build/mdb-symbolreader.in
+++ mono-debugger-2.6.3/build/mdb-symbolreader.in
@@ -1,3 +1,3 @@
 #!/bin/sh
-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 exec @mono@ --debug @twodir@/mdb-symbolreader.exe $*

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Sat, 16 Oct 2010 18:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Iain Lane <laney@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Sat, 16 Oct 2010 18:36:03 GMT) Full text and rfc822 format available.

Message #15 received at 598299@bugs.debian.org (full text, mbox):

From: Iain Lane <laney@ubuntu.com>
To: jari.aalto@cante.net, 598299@bugs.debian.org
Subject: Re: [pkg-mono-group] Bug#598299: mono-debugger: NMU diff for 2.6.3-2.1 (Intent to NMU)
Date: Sat, 16 Oct 2010 19:32:37 +0100
[Message part 1 (text/plain, inline)]
Hi,

On Sat, Oct 16, 2010 at 05:52:04PM +0300, jari.aalto@cante.net wrote:
>
>Dear maintainer,
>
>Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598299.
>See the debian/patches directory for the important fixes.
>
>Please let me know if it's ok to proceed with NMU.

Thanks for the patch!

You can if you wish, but I intend(ed) to prepare maintainer uploads to
fix these bugs this weekend. I'll incorporate your patches (with
attribution, of course) into a maintainer upload then.

If I don't get to it for any reason then please proceed.

Cheers,
Iain
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Don Armstrong <don@donarmstrong.com> to control@bugs.debian.org. (Sat, 16 Oct 2010 18:45:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Mon, 18 Oct 2010 09:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Mon, 18 Oct 2010 09:54:06 GMT) Full text and rfc822 format available.

Message #22 received at 598299@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598299@bugs.debian.org
Cc: 598299-submitter@bugs.debian.org
Subject: Re: Bug#598299 mono-debugger: NMU diff for 2.6.3-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 12:51:18 +0300
>	@@ -1,3 +1,3 @@
>	 #!/bin/sh
>	-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
>	+export LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"

> [Iaian]
> You can if you wish, but I intend(ed) to prepare maintainer uploads to
> fix these bugs this weekend. I'll incorporate your patches (with
> attribution, of course) into a maintainer upload then.

Please hold. That patch does not cut it. See:

    (
        LD_LIBRARY_PATH="::"
        echo LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
    )

    # => LD_LIBRARY_PATH=@libdir@:::

Jari




Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598299. (Mon, 18 Oct 2010 09:54:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Mon, 18 Oct 2010 10:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Iain Lane <laney@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Mon, 18 Oct 2010 10:15:06 GMT) Full text and rfc822 format available.

Message #30 received at 598299@bugs.debian.org (full text, mbox):

From: Iain Lane <laney@ubuntu.com>
To: Jari Aalto <jari.aalto@cante.net>, 598299@bugs.debian.org
Cc: 598299-submitter@bugs.debian.org
Subject: Re: Bug#598299: mono-debugger: NMU diff for 2.6.3-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 11:11:22 +0100
[Message part 1 (text/plain, inline)]
On Mon, Oct 18, 2010 at 12:51:18PM +0300, Jari Aalto wrote:
>
>>	@@ -1,3 +1,3 @@
>>	 #!/bin/sh
>>	-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
>>	+export LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
>
>> [Iaian]
>> You can if you wish, but I intend(ed) to prepare maintainer uploads to
>> fix these bugs this weekend. I'll incorporate your patches (with
>> attribution, of course) into a maintainer upload then.
>
>Please hold. That patch does not cut it. See:

OK, it seems like you care for and understand this issue much more
than anyone on the team, so please just upload when you are ready.

You can come to #debian-cli and fix directly in VCS too if you
wish. Please make sure upstream is aware of your fixes too.

Thanks,
Iain
[signature.asc (application/pgp-signature, inline)]

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598299. (Mon, 18 Oct 2010 10:15:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Mon, 18 Oct 2010 13:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Mon, 18 Oct 2010 13:36:03 GMT) Full text and rfc822 format available.

Message #38 received at 598299@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: control@bugs.debian.org, 598299@bugs.debian.org
Subject: Bug#598299 forwarded to upstream
Date: Mon, 18 Oct 2010 16:33:34 +0300
forwarded 598299 https://bugzilla.novell.com/show_bug.cgi?id=647353
thanks

Patch was sent along with the bug report to Mono bugzilla.




Set Bug forwarded-to-address to 'https://bugzilla.novell.com/show_bug.cgi?id=647353'. Request was from Jari Aalto <jari.aalto@cante.net> to control@bugs.debian.org. (Mon, 18 Oct 2010 13:36:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Mon, 18 Oct 2010 14:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Mon, 18 Oct 2010 14:39:03 GMT) Full text and rfc822 format available.

Message #45 received at 598299@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Jari Aalto <jari.aalto@cante.net>, 598299@bugs.debian.org
Cc: 598299-submitter@bugs.debian.org
Subject: Re: Bug#598299: mono-debugger: NMU diff for 2.6.3-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 16:37:51 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 18, 2010 at 12:51:18 +0300, Jari Aalto wrote:

> 
> >	@@ -1,3 +1,3 @@
> >	 #!/bin/sh
> >	-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
> >	+export LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> 
> > [Iaian]
> > You can if you wish, but I intend(ed) to prepare maintainer uploads to
> > fix these bugs this weekend. I'll incorporate your patches (with
> > attribution, of course) into a maintainer upload then.
> 
> Please hold. That patch does not cut it. See:
> 
>     (
>         LD_LIBRARY_PATH="::"
>         echo LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
>     )
> 
>     # => LD_LIBRARY_PATH=@libdir@:::
> 
Wrong.  This example is broken.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598299. (Mon, 18 Oct 2010 14:39:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Mon, 18 Oct 2010 16:12:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Mon, 18 Oct 2010 16:12:13 GMT) Full text and rfc822 format available.

Message #53 received at 598299@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: control@bugs.debian.org, 598299@bugs.debian.org
Subject: Bug#598299 change of tags / pending
Date: Mon, 18 Oct 2010 19:11:40 +0300
tags 598299 + pending
thanks

Better fix is under way.




Added tag(s) pending. Request was from Jari Aalto <jari.aalto@cante.net> to control@bugs.debian.org. (Mon, 18 Oct 2010 16:12:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#598299; Package mono-debugger. (Thu, 21 Oct 2010 05:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Thu, 21 Oct 2010 05:39:03 GMT) Full text and rfc822 format available.

Message #60 received at 598299@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: 598299@bugs.debian.org
Subject: mono-debugger: diff for NMU version 2.6.3-2.1
Date: Wed, 20 Oct 2010 22:35:08 -0700
Dear maintainer,

I have sponsoned an upload of Jari Aalto's NMU for mono-debugger 
(versioned as 2.6.3-2.1) and uploaded it to DELAYED/3. Please feel 
free to tell me if I should delay it longer.

Regards,
tony mancill

diff -u mono-debugger-2.6.3/debian/changelog mono-debugger-2.6.3/debian/changelog
--- mono-debugger-2.6.3/debian/changelog
+++ mono-debugger-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+mono-debugger (2.6.3-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * debian/patches
+    - (CVE-*): New patch. Fix CVE-2010-3369 insecure library loading
+      (grave, security; Closes: #598299).
+
+ -- Jari Aalto <jari.aalto@cante.net>  Mon, 18 Oct 2010 13:01:07 +0300
+
 mono-debugger (2.6.3-2) unstable; urgency=low
 
   * Upload to Debian Unstable
diff -u mono-debugger-2.6.3/debian/patches/00list mono-debugger-2.6.3/debian/patches/00list
--- mono-debugger-2.6.3/debian/patches/00list
+++ mono-debugger-2.6.3/debian/patches/00list
@@ -2,0 +3 @@
+cve-2010-3369--bug598299
only in patch2:
unchanged:
--- mono-debugger-2.6.3.orig/debian/patches/cve-2010-3369--bug598299.dpatch
+++ mono-debugger-2.6.3/debian/patches/cve-2010-3369--bug598299.dpatch
@@ -0,0 +1,68 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## /tmp/CVE-2010-3369--bug598299.patch.dpatch by jaalto <jari.aalto@cante.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: 
+## DP: Author: Jari Aalto <jari.aalto@cante.net>
+## DP: 
+## DP: 
+## DP: 
+## DP:     
+## DP:     Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+
+@DPATCH@
+
+diff --git a/build/mdb-symbolreader.in b/build/mdb-symbolreader.in
+old mode 100644
+new mode 100755
+index 7138bd0..627c2c1
+--- a/build/mdb-symbolreader.in
++++ b/build/mdb-symbolreader.in
+@@ -1,3 +1,18 @@
+ #!/bin/sh
+-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
+-exec @mono@ --debug @twodir@/mdb-symbolreader.exe $*
++
++Pathclean ()
++{
++   # Vulnerability fix for insecure path content
++   # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++   local tmp
++   tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++   [ "$tmp" ] && echo "$tmp"
++}
++
++LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++LD_LIBRARY_PATH=$(Pathclean "$LD_LIBRARY_PATH")
++export LD_LIBRARY_PATH
++
++exec @mono@ --debug @twodir@/mdb-symbolreader.exe "$@"
+diff --git a/build/mdb.in b/build/mdb.in
+old mode 100644
+new mode 100755
+index 12da6c3..8546d0b
+--- a/build/mdb.in
++++ b/build/mdb.in
+@@ -1,3 +1,18 @@
+ #!/bin/sh
+-export LD_LIBRARY_PATH="@libdir@:${LD_LIBRARY_PATH}"
+-exec @mono@ --debug @twodir@/mdb.exe $*
++
++Pathclean ()
++{
++   # Vulnerability fix for insecure path content
++   # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++   local tmp
++   tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++   [ "$tmp" ] && echo "$tmp"
++}
++
++LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++LD_LIBRARY_PATH=$(Pathclean "$LD_LIBRARY_PATH")
++export LD_LIBRARY_PATH
++
++exec @mono@ --debug @twodir@/mdb.exe "$@"




Reply sent to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility. (Sun, 24 Oct 2010 06:06:04 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 24 Oct 2010 06:06:04 GMT) Full text and rfc822 format available.

Message #65 received at 598299-close@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598299-close@bugs.debian.org
Subject: Bug#598299: fixed in mono-debugger 2.6.3-2.1
Date: Sun, 24 Oct 2010 06:02:07 +0000
Source: mono-debugger
Source-Version: 2.6.3-2.1

We believe that the bug you reported is fixed in the latest version of
mono-debugger, which is due to be installed in the Debian FTP archive:

mono-debugger_2.6.3-2.1.diff.gz
  to main/m/mono-debugger/mono-debugger_2.6.3-2.1.diff.gz
mono-debugger_2.6.3-2.1.dsc
  to main/m/mono-debugger/mono-debugger_2.6.3-2.1.dsc
mono-debugger_2.6.3-2.1_i386.deb
  to main/m/mono-debugger/mono-debugger_2.6.3-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598299@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <jari.aalto@cante.net> (supplier of updated mono-debugger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 Oct 2010 13:01:07 +0300
Source: mono-debugger
Binary: mono-debugger
Architecture: source i386
Version: 2.6.3-2.1
Distribution: unstable
Urgency: low
Maintainer: Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>
Changed-By: Jari Aalto <jari.aalto@cante.net>
Description: 
 mono-debugger - Debugger for Mono
Closes: 598299
Changes: 
 mono-debugger (2.6.3-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/patches
     - (CVE-*): New patch. Fix CVE-2010-3369 insecure library loading
       (grave, security; Closes: #598299).
Checksums-Sha1: 
 8acbf5ae476fa1e921dfdf0217a85354f757f93e 2082 mono-debugger_2.6.3-2.1.dsc
 83a82b70be00e92a78058fce6398c5ac93121b2b 8839 mono-debugger_2.6.3-2.1.diff.gz
 26200db980fc663658d7c00b5c4c6474551dd473 1010598 mono-debugger_2.6.3-2.1_i386.deb
Checksums-Sha256: 
 48f1f5c0d7ca14522364a2ccd4ebee08a93a54a271ad5f6c8c87eaf3a1e8bf25 2082 mono-debugger_2.6.3-2.1.dsc
 7307b2146d1af0431b23f2a57cb0de074af22b94883b06b47f0876735814f8e1 8839 mono-debugger_2.6.3-2.1.diff.gz
 c8e6b738a2efa076dd852c1a5f42866be342a1345a8ce93281a4f290239b4b29 1010598 mono-debugger_2.6.3-2.1_i386.deb
Files: 
 059880a2c802443ec50290a2fb4e6f35 2082 devel optional mono-debugger_2.6.3-2.1.dsc
 60a8c6fbeededa6285fafa5a11d7c8b4 8839 devel optional mono-debugger_2.6.3-2.1.diff.gz
 a65ca42b8bde943a18da289407ee97ae 1010598 devel optional mono-debugger_2.6.3-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMvG/ZAAoJECHSBYmXSz6WihUP/3rIFElJRls3PKy2a/08J38d
wPojs8SAfgwQ+L8y14/KUV04Rf8Ct3zvtMq0P9kLzc5cfnspFNVCBtTV2RXgnRjE
Nqz0Po1uZuy4ChBNkKqHu/0tByjh1vCBamSUMWowyV7rcCzJsJ9f4LwqUpaI5x8d
gnLGRC8q4zFbe5Bw4xvO/IarTlLDoABAiqXZVXF5AgNK9/n7VOUdIjSzEiDouGmJ
ElAFFX/eaxoJ0U3l0fCT5lfJxLDxmlxJzATQ+OC7O3ImZl00rH1c3t/zdepAD63b
dA40W1JyeE0qZMK1r8WkgZVPR81Li53L/SY1stVGWJqZaUPRxT0QGLMHpyqiyjKo
hiCGg5+IeGdzTVuYbPFpd/shE3WZKVsookuI9BCJpu4ALxSQW7Vkww0JUML/40oC
HU9U0oJ7GBlbIN0lI4n9L4ByqevnffUdj6l/eD8zLxqkYwqFbKnG85PkpDF1tfyP
6EQ3gAZctrh/c0+Zb3MSl8svdINClUswYz43aMIdaLz0IKBLge2kF1IA8Zfrnmd8
HMo3evXpGigXBjrLpSTZ46O+afDwsFiAuDditfrRzbVVQ4suWNgo1iv3ISAacpO3
PptN8yqRP7YkBoFed6YG5PmnUrirtHHsBGuAWvtCFECvxV2ffYT/ZnpX6rbBaQwd
s88j0pljT4TLwT2st/ko
=UJqd
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 23 Nov 2010 07:33:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:30:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.