Debian Bug report logs - #598301
RM: qtparted -- RoQA; dead upstream, uses qt3, has alternative

version graph

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <ftpmaster@ftp-master.debian.org>;

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:25:02 UTC

Severity: grave

Tags: patch, security

Found in version 0.4.5-9

Fixed in version 0.4.5-9+rm

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#598301; Package qtparted. (Tue, 28 Sep 2010 04:25:05 GMT) (full text, mbox, link).


Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 28 Sep 2010 04:25:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: qtparted: CVE-2010-3375: insecure library loading
Date: Tue, 28 Sep 2010 04:22:43 +0000
Package: qtparted
Version: 0.4.5-7
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/sbin/run_qtparted line 47:
export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3375. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3375
[1] http://security-tracker.debian.org/tracker/CVE-2010-3375

Sincerely,
Raphael Geissert




Added tag(s) patch. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 06:09:05 GMT) (full text, mbox, link).


Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. (Tue, 28 Sep 2010 07:42:09 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Tue, 28 Sep 2010 07:42:09 GMT) (full text, mbox, link).


Message #12 received at 598301-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 598301-close@bugs.debian.org
Subject: Bug#598301: fixed in qtparted 0.4.5-8
Date: Tue, 28 Sep 2010 07:32:18 +0000
Source: qtparted
Source-Version: 0.4.5-8

We believe that the bug you reported is fixed in the latest version of
qtparted, which is due to be installed in the Debian FTP archive:

qtparted_0.4.5-8.debian.tar.gz
  to main/q/qtparted/qtparted_0.4.5-8.debian.tar.gz
qtparted_0.4.5-8.dsc
  to main/q/qtparted/qtparted_0.4.5-8.dsc
qtparted_0.4.5-8_mipsel.deb
  to main/q/qtparted/qtparted_0.4.5-8_mipsel.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598301@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated qtparted package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Sep 2010 16:10:55 +1000
Source: qtparted
Binary: qtparted
Architecture: source mipsel
Version: 0.4.5-8
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 qtparted   - A parted frontend using QT
Closes: 598301
Changes: 
 qtparted (0.4.5-8) unstable; urgency=high
 .
   * QA upload.
   * Fix CVE-2010-3375 insecure library loading
   * Closes: 598301
Checksums-Sha1: 
 b2b18e2ca2586f0821a9b87141725838ab9ce0ed 1862 qtparted_0.4.5-8.dsc
 53e854d4fe89792bcf4ef0e48f6b7bff11c97e51 303777 qtparted_0.4.5-8.debian.tar.gz
 c0165e709c78a91a1b5844c0a3fe3d1d2026ebda 218184 qtparted_0.4.5-8_mipsel.deb
Checksums-Sha256: 
 8d1283f0bde600f241ab282f764818ab556e25f07b9fe980c24dd652b94cbeff 1862 qtparted_0.4.5-8.dsc
 9a4fbedec08079404ad1c1bbc639560d4f30cd66559e3b22dfc822017b994c91 303777 qtparted_0.4.5-8.debian.tar.gz
 1ee0cdcdcb7fd067d6bde0001da91484213346b763f3f497b70a260ad2897863 218184 qtparted_0.4.5-8_mipsel.deb
Files: 
 67a9cd96ed037ea5d35e4dfb93600983 1862 x11 optional qtparted_0.4.5-8.dsc
 ba64e43366394b3d29c39e89ce95e2e4 303777 x11 optional qtparted_0.4.5-8.debian.tar.gz
 44bb27129b15ba0de3c37b515643e25a 218184 x11 optional qtparted_0.4.5-8_mipsel.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJMoZZuAAoJEHxWrP6UeJfYg+QP/1NrZpbaEKEGH2WEtTWqDTz7
xSQEqr5SURHfEmf0FrD57DNZ8ddtbfRgCzefrp35rihc1ft2rRy0nD25+VStAjoz
lNDeJXvXwgGpg7/pWnfvBoNQjBlOw2VTZhZ/r0RPQTHmLD2LpjmfuhIGvR/OuTkO
3uuyZ9V7yrgl51vI3LM0KZPrNQcleV9porcxDxLVEXU8yN+ZiAsu5cVxv29RqqQf
y4XP3FyDErB/aHETp46MOx5BtIXn5twVjMyW0RpOSLF/zBt4hEvJzGjrJWlKgxnv
OZwfiABYLUjLA958uy0bG+P/Gml70XQEMhlm1BSYmgITVn2/A3h7inGSWpLhFljn
6z94wYuiyXyIIqh8WsRqHEbnMGc9G8yBwy2edINVpd8Z1sI+dVYjn0/A7tE1VjKs
0ftYiA+ZqiY1R4Lur0u8xA6b5J0Ep6px2EyTYEM6AvmTtjP7R2i65bfI2rpKgGEY
sh5CKRGUb2l3Lp3Z9aJcH9cn94t7PTWfHgiRwzvA9iGFMKqCVFiUVRnZ+gxATPTX
0VTvDAamIz0kY4Xf+zUmtVyXk1CyLarDW+cvwSfu5BpBbVMp5o7bW/2/5OB9LEwx
w/LKgcNfEjFp0xgPE86O5suCbiCwqUAC1zo/P4zRpXVBExKUy7yQKT2vcQHJvu50
n6K9MDVh/DpGZyB5RXqh
=OYJB
-----END PGP SIGNATURE-----





Changed Bug title to 'RM: qtparted -- RoQA; dead upstream, uses qt3, has alternative' from 'qtparted: CVE-2010-3375: insecure library loading' Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 11:33:03 GMT) (full text, mbox, link).


Bug reassigned from package 'qtparted' to 'ftp.debian.org'. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 11:33:03 GMT) (full text, mbox, link).


Bug No longer marked as found in versions qtparted/0.4.5-7. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 11:33:04 GMT) (full text, mbox, link).


Bug No longer marked as fixed in versions qtparted/0.4.5-8. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 11:33:05 GMT) (full text, mbox, link).


Bug Marked as found in versions 0.4.5-9 and reopened. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 11:42:02 GMT) (full text, mbox, link).


Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Thu, 30 Sep 2010 08:51:27 GMT) (full text, mbox, link).


Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Thu, 30 Sep 2010 08:51:27 GMT) (full text, mbox, link).


Message #27 received at 598301-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 598301-done@bugs.debian.org, 482400-done@bugs.debian.org, 254208-done@bugs.debian.org, 359085-done@bugs.debian.org, 407098-done@bugs.debian.org, 311801-done@bugs.debian.org, 355217-done@bugs.debian.org, 399182-done@bugs.debian.org, 446384-done@bugs.debian.org, 467481-done@bugs.debian.org, 533431-done@bugs.debian.org, 427511-done@bugs.debian.org
Subject: Package got removed
Date: Thu, 30 Sep 2010 10:50:02 +0200
Version: 0.4.5-9+rm

Hi!

The package got removed, I therefore close these bugs.  See Bug #598301
for details on the removal.


Best Regards,
  Alexander




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Oct 2010 07:30:12 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 02:42:08 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.