Debian Bug report logs - #598307
tuxguitar: CVE-2010-3385: insecure library loading

version graph

Package: tuxguitar; Maintainer for tuxguitar is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for tuxguitar is src:tuxguitar.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:25:22 UTC

Severity: grave

Tags: patch, security

Found in version tuxguitar/1.2-6

Fixed in version tuxguitar/1.2-7

Done: tony mancill <tmancill@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Philippe Coval <rzr@gna.org>:
Bug#598307; Package tuxguitar. (Tue, 28 Sep 2010 04:25:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Philippe Coval <rzr@gna.org>. (Tue, 28 Sep 2010 04:25:25 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: tuxguitar: CVE-2010-3385: insecure library loading
Date: Tue, 28 Sep 2010 04:23:16 +0000
Package: tuxguitar
Version: 1.2-6
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/tuxguitar line 129:
        export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$MOZILLA_FIVE_HOME"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3385. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3385
[1] http://security-tracker.debian.org/tracker/CVE-2010-3385

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Philippe Coval <rzr@gna.org>:
Bug#598307; Package tuxguitar. (Tue, 12 Oct 2010 09:15:30 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Philippe Coval <rzr@gna.org>. (Tue, 12 Oct 2010 09:15:30 GMT) Full text and rfc822 format available.

Message #10 received at 598307@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598307@bugs.debian.org
Subject: Patch for CVE-2010-3385
Date: Tue, 12 Oct 2010 11:07:21 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is a patch that fixes this issue.

Regards,

-- 
Etienne Millon
[CVE-2010-3385.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Etienne Millon <etienne.millon@gmail.com> to control@bugs.debian.org. (Tue, 12 Oct 2010 09:15:33 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Philippe Coval <rzr@gna.org>:
Bug#598307; Package tuxguitar. (Tue, 12 Oct 2010 13:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Philippe Coval <rzr@gna.org>. (Tue, 12 Oct 2010 13:27:03 GMT) Full text and rfc822 format available.

Message #17 received at 598307@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: Etienne Millon <etienne.millon@gmail.com>, 598307@bugs.debian.org
Subject: Re: Bug#598307: Patch for CVE-2010-3385
Date: Tue, 12 Oct 2010 06:23:07 -0700
[Message part 1 (text/plain, inline)]
On 10/12/2010 02:07 AM, Etienne Millon wrote:
> Dear maintainer,
> 
> Here is a patch that fixes this issue.
> 
> Regards,
> 

Hello Etienne Millon,

Thank you for the patch.  I will apply it and start preparing an upload
(after some testing).

Regards,
Tony

[signature.asc (application/pgp-signature, attachment)]

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Wed, 13 Oct 2010 05:21:03 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 13 Oct 2010 05:21:03 GMT) Full text and rfc822 format available.

Message #22 received at 598307-close@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: 598307-close@bugs.debian.org
Subject: Bug#598307: fixed in tuxguitar 1.2-7
Date: Wed, 13 Oct 2010 05:17:22 +0000
Source: tuxguitar
Source-Version: 1.2-7

We believe that the bug you reported is fixed in the latest version of
tuxguitar, which is due to be installed in the Debian FTP archive:

tuxguitar-alsa_1.2-7_i386.deb
  to main/t/tuxguitar/tuxguitar-alsa_1.2-7_i386.deb
tuxguitar-fluidsynth_1.2-7_i386.deb
  to main/t/tuxguitar/tuxguitar-fluidsynth_1.2-7_i386.deb
tuxguitar-jack_1.2-7_i386.deb
  to main/t/tuxguitar/tuxguitar-jack_1.2-7_i386.deb
tuxguitar-jsa_1.2-7_all.deb
  to main/t/tuxguitar/tuxguitar-jsa_1.2-7_all.deb
tuxguitar-oss_1.2-7_i386.deb
  to main/t/tuxguitar/tuxguitar-oss_1.2-7_i386.deb
tuxguitar_1.2-7.debian.tar.gz
  to main/t/tuxguitar/tuxguitar_1.2-7.debian.tar.gz
tuxguitar_1.2-7.dsc
  to main/t/tuxguitar/tuxguitar_1.2-7.dsc
tuxguitar_1.2-7_all.deb
  to main/t/tuxguitar/tuxguitar_1.2-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated tuxguitar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Oct 2010 06:32:31 -0700
Source: tuxguitar
Binary: tuxguitar tuxguitar-jsa tuxguitar-alsa tuxguitar-oss tuxguitar-fluidsynth tuxguitar-jack
Architecture: source i386 all
Version: 1.2-7
Distribution: unstable
Urgency: medium
Maintainer: Philippe Coval <rzr@gna.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 tuxguitar  - Multitrack guitar tablature editor and player (gp3 to gp5)
 tuxguitar-alsa - tuxguitar plugin for sound playback using ALSA
 tuxguitar-fluidsynth - tuxguitar plugin for sound playback using fluidsynth
 tuxguitar-jack - tuxguitar plugin for sound playback using JACKD
 tuxguitar-jsa - tuxguitar plugin for sound playback using Java Sound API
 tuxguitar-oss - tuxguitar plugin for sound playback using OSS
Closes: 598307
Changes: 
 tuxguitar (1.2-7) unstable; urgency=medium
 .
   * Apply patch for CVE-2010-3385 (Closes: #598307)
     Thanks to Etienne Millon
Checksums-Sha1: 
 affb3255eaf87ed7094a353e32f1fc4b54b87a2c 2043 tuxguitar_1.2-7.dsc
 4c3f18c0fb5c2859ff2665f75140f0a56548eb94 9676 tuxguitar_1.2-7.debian.tar.gz
 0eb6da221740907f7aaa7d40d62305b6d8af2d06 12362 tuxguitar-alsa_1.2-7_i386.deb
 254563202d92362ac53e3799d5c90390e2c5c349 15512 tuxguitar-oss_1.2-7_i386.deb
 4e9590a6724674d7e4afaa4cd5db434c1c3cf409 26404 tuxguitar-fluidsynth_1.2-7_i386.deb
 576c8e2fdd5d412dbfb64ad6a2ffb397d0311f0f 35612 tuxguitar-jack_1.2-7_i386.deb
 dd6542adc9af81b58bf2483bf537eb7f1e77e836 3217462 tuxguitar_1.2-7_all.deb
 8b968898b5df5410a885cfbc291042177a668f27 36088 tuxguitar-jsa_1.2-7_all.deb
Checksums-Sha256: 
 264f5299491629b616a21dfa33d9ee6d89f590d9a4ea9f6721dfc19459c394ea 2043 tuxguitar_1.2-7.dsc
 03065430d20bd255e1158de92922552fa060da339174100cfc0e75c1fe2d6abc 9676 tuxguitar_1.2-7.debian.tar.gz
 4a93b7ed6452bdb3c54ab3bab758849a15593bc8c31dfd546769d56cf8ff26be 12362 tuxguitar-alsa_1.2-7_i386.deb
 f53778fabb148b896a41f9356e2f053a19febffa43c67e5617132a23ca34b4b5 15512 tuxguitar-oss_1.2-7_i386.deb
 a007c3de2717d41dda563af50b9e53678bcc370aa2fd272e49634c3b82f7e77f 26404 tuxguitar-fluidsynth_1.2-7_i386.deb
 075d077190e0ebd8a9e8ce48abdb1f59a041dfde51aba6aeb3b4860867ef3a31 35612 tuxguitar-jack_1.2-7_i386.deb
 63cb879ed0c82db11930684ae497600f99cec6163fe89197b292aa886180f992 3217462 tuxguitar_1.2-7_all.deb
 bbc2772fb53491e2eb98df300a10dc4730bf23c4accfa417e9b33e2bc20e3080 36088 tuxguitar-jsa_1.2-7_all.deb
Files: 
 5304741533688acb43b98984b94e9f5e 2043 sound optional tuxguitar_1.2-7.dsc
 cf4419c719b6c6c368c1683f9fefdb70 9676 sound optional tuxguitar_1.2-7.debian.tar.gz
 04c36271c0ab04eaced73d9ed91d3fe9 12362 sound optional tuxguitar-alsa_1.2-7_i386.deb
 524c5f094760bf539ddd8be48facbe39 15512 sound extra tuxguitar-oss_1.2-7_i386.deb
 daf3aac5872a6972d51f8dfeea191807 26404 sound extra tuxguitar-fluidsynth_1.2-7_i386.deb
 24dfb759f76e3a1779023c164a0d58bb 35612 sound extra tuxguitar-jack_1.2-7_i386.deb
 4a647f3fce8e5cd67d0b65b92adfbe8f 3217462 sound optional tuxguitar_1.2-7_all.deb
 e2f74c463501a9f5e261087ac6f866cd 36088 sound optional tuxguitar-jsa_1.2-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMtTv/AAoJECHSBYmXSz6W+YUP/j2BS8t3McVVdopsxudZFfDz
FhErTCozPZfsZJdqRbtZy8qj1joG4/Z8ahjVi8LevlezhgVomGLJXfn+1FM28eXr
Y0zu+7cOCSEOUQN9ZSPm7CshzBmXvdj9Ay6NmJtggbf8IeoHcNfzqlphtUGp7ls5
ErfEbIXD5wAM5350EPS1UN0jbT+SpywXd2w1J9Ah2DP1O+MbxOUX15mhaF9k5oWm
E5txp/rU1QBYup0zaKrMAqk67yJ6WIGYBFe3bMYaJH9YtSqmrBhILyjMyHKdOepl
nTiUxUqvi4yoV3R7A16x28r8t3vxixqnHphcz5xbhfh2B97oZSS9/VDY/V91pRWL
qN2mGQKYasYDUyXTYZAM1JAkvyvCu6tjjWMulp/s7IZeMUwiS3T/Sdv3JJoAwzvy
L5IPJ0lrRBBRoNEqQFf2onsQ18GcLTIq+FYXIDrR9GpMEswZeSygiUnQBiSSuwTO
cys2AiwzfBOXUaxgVjWyWximDTwoTi83n0+ay+QZ4RsJitVPS62IHVElPl8o+k0U
OAM509AwdlUxIoIOMjpcmrDwabCKL2hFfoRBfyXjsJDhXN5lRENYKKX+BDAY9lVy
47zQ/3PHFkd1wCHUnTGGqRQfFZ+YZ458lGZ3h6avagAhHgREjFscbKsyD9OJW9fw
FOH8DNHMcHN7RXtW1UxE
=y2TC
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 14 Nov 2010 07:30:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 17:08:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.