Debian Bug report logs - #598309
ust-bin: CVE-2010-3386: insecure library loading

version graph

Package: ust-bin; Maintainer for ust-bin is Jon Bernard <jbernard@debian.org>; Source for ust-bin is src:ust.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:25:28 UTC

Severity: grave

Tags: security

Found in version ust/0.7-1

Fixed in versions ust/0.7-2.1, ust/0.5-1+squeeze1

Done: Jon Bernard <jbernard@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Tue, 28 Sep 2010 04:25:31 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Jon Bernard <jbernard@debian.org>. (Tue, 28 Sep 2010 04:25:31 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: ust-bin: CVE-2010-3386: insecure library loading
Date: Tue, 28 Sep 2010 04:23:22 +0000
Package: ust-bin
Version: 0.7-1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/usttrace line 136:
	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
/usr/bin/usttrace line 144:
	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
[1] http://security-tracker.debian.org/tracker/CVE-2010-3386

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 11 Oct 2010 16:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 11 Oct 2010 16:03:08 GMT) Full text and rfc822 format available.

Message #10 received at 598309@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598309@bugs.debian.org
Subject: Fix for CVE-2010-3386
Date: Mon, 11 Oct 2010 18:00:14 +0200
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is a patch that fixes this issue.

Regards,

-- 
Etienne Millon
[CVE-2010-3386.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 18 Oct 2010 16:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to jari.aalto@cante.net:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 18 Oct 2010 16:06:03 GMT) Full text and rfc822 format available.

Message #15 received at 598309@bugs.debian.org (full text, mbox):

From: jari.aalto@cante.net
To: 598309@bugs.debian.org
Subject: Bug#598309 ust: NMU diff for 0.7-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 19:02:39 +0300
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598309.
See the debian/patches directory for the important fixes.

Please let me know if it's ok to proceed with the NMU.

Thank you for maintaining the package,
Jari Aalto

[1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
[2] http://dep.debian.net/deps/dep1.html

lsdiff(1) of changes:

    ust-0.7/debian/changelog
    ust-0.7/debian/patches/CVE-2010-3386--bug598309.patch
    ust-0.7/debian/patches/series

[ust_0.7-2--0.7-2.1.deb.diff (text/x-diff, inline)]
diffstat for ust-0.7 ust-0.7

 changelog                              |   10 +++++
 patches/CVE-2010-3386--bug598309.patch |   60 +++++++++++++++++++++++++++++++++
 patches/series                         |    2 -
 3 files changed, 71 insertions(+), 1 deletion(-)

diff -Nru ust-0.7/debian/changelog ust-0.7/debian/changelog
--- ust-0.7/debian/changelog	2010-09-27 11:28:16.000000000 +0300
+++ ust-0.7/debian/changelog	2010-10-18 18:55:42.000000000 +0300
@@ -1,3 +1,13 @@
+ust (0.7-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches
+    - (CVE-2010-3386--bug598309): New. Fix LD_LIBRARY_PATH. Initial patch
+      idea thanks to Etienne Millon <etienne.millon@gmail.com> (grave,
+      security; Closes: #598309).
+
+ -- Jari Aalto <jari.aalto@cante.net>  Mon, 18 Oct 2010 18:55:42 +0300
+
 ust (0.7-2) unstable; urgency=low
 
   * [7d6a5c] Remove sparc and alpha from supported architectures
diff -Nru ust-0.7/debian/patches/CVE-2010-3386--bug598309.patch ust-0.7/debian/patches/CVE-2010-3386--bug598309.patch
--- ust-0.7/debian/patches/CVE-2010-3386--bug598309.patch	1970-01-01 02:00:00.000000000 +0200
+++ ust-0.7/debian/patches/CVE-2010-3386--bug598309.patch	2010-10-18 18:54:03.000000000 +0300
@@ -0,0 +1,60 @@
+From deaf85d7aa5f074ba18bfe5deb5605dfa22bf772 Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 18:35:58 +0300
+Subject: [PATCH] CVE-2010-3386 insecure library loading Bug#598309
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ usttrace |   18 ++++++++++++++++--
+ 1 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/usttrace b/usttrace
+index dc159f2..7e0f7bc 100755
+--- a/usttrace
++++ b/usttrace
+@@ -3,6 +3,16 @@
+ # usttrace  by Pierre-Marc Fournier 2009
+ # Distributed under the GPLv2.
+ 
++pathclean() {
++   # Vulnerability fix for insecure path content
++   # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++   local tmp
++   tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++   [ "$tmp" ] && echo "$tmp"
++}
++
+ function error() {
+ 	echo "$0: error: $1" 2>/dev/stderr
+ }
+@@ -133,7 +143,9 @@ fi
+     if [ "$arg_preload_libust" = "1" ];
+     then
+ 	if [ -n "${LIBUST_PATH%libust.so}" ] ; then
+-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++	    LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}${LIBUST_PATH%libust.so}"
++	    LD_LIBRARY_PATH=$(pathclean "$LD_LIBRARY_PATH")
++	    export LD_LIBRARY_PATH
+ 	fi
+ 	export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
+     fi
+@@ -141,7 +153,9 @@ fi
+     if [ "$arg_ld_std_ust" = "1" ];
+     then
+ 	if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
+-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
++	    LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}${LIBUST_PATH%libust.so}"
++	    LD_LIBRARY_PATH=$(pathclean "$LD_LIBRARY_PATH")
++	    export LD_LIBRARY_PATH
+ 	fi
+     fi
+ 
+-- 
+1.7.1
+
diff -Nru ust-0.7/debian/patches/series ust-0.7/debian/patches/series
--- ust-0.7/debian/patches/series	2010-09-27 11:28:16.000000000 +0300
+++ ust-0.7/debian/patches/series	2010-10-18 18:49:26.000000000 +0300
@@ -1 +1 @@
-info-dir-section.diff
+CVE-2010-3386--bug598309.patch

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598309; Package ust-bin. (Mon, 18 Oct 2010 16:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Bernard <jbernard@debian.org>:
Extra info received and forwarded to list. (Mon, 18 Oct 2010 16:51:03 GMT) Full text and rfc822 format available.

Message #20 received at 598309@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: jari.aalto@cante.net, 598309@bugs.debian.org
Subject: Re: Bug#598309: ust: NMU diff for 0.7-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 12:43:39 -0400
* jari.aalto@cante.net <jari.aalto@cante.net> wrote:
> 
> Dear maintainer,
> 
> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598309.
> See the debian/patches directory for the important fixes.

Excellent, thank you.

> Please let me know if it's ok to proceed with the NMU.

Yes, please do so. Upstream has already fixed this, I expect a new
release very soon, but this is a fine solution in the mean time.

-- 
Jon




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 18 Oct 2010 18:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 18 Oct 2010 18:48:03 GMT) Full text and rfc822 format available.

Message #25 received at 598309@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: jari.aalto@cante.net, 598309@bugs.debian.org
Subject: Re: Bug#598309: ust: NMU diff for 0.7-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 19:44:50 +0100
On Mon, 2010-10-18 at 19:02 +0300, jari.aalto@cante.net wrote:
> Dear maintainer,
> 
> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598309.
> See the debian/patches directory for the important fixes.
[...]
> diff -Nru ust-0.7/debian/patches/series ust-0.7/debian/patches/series
> --- ust-0.7/debian/patches/series	2010-09-27 11:28:16.000000000 +0300
> +++ ust-0.7/debian/patches/series	2010-10-18 18:49:26.000000000 +0300
> @@ -1 +1 @@
> -info-dir-section.diff
> +CVE-2010-3386--bug598309.patch

Why is info-dir-section.diff no longer being applied?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 18 Oct 2010 19:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 18 Oct 2010 19:15:09 GMT) Full text and rfc822 format available.

Message #30 received at 598309@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: jari.aalto@cante.net, 598309@bugs.debian.org
Subject: Re: Bug#598309: ust: NMU diff for 0.7-2.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 21:12:30 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 18, 2010 at 19:02:39 +0300, jari.aalto@cante.net wrote:

> +diff --git a/usttrace b/usttrace
> +index dc159f2..7e0f7bc 100755
> +--- a/usttrace
> ++++ b/usttrace
> +@@ -3,6 +3,16 @@
> + # usttrace  by Pierre-Marc Fournier 2009
> + # Distributed under the GPLv2.
> + 
> ++pathclean() {
> ++   # Vulnerability fix for insecure path content
> ++   # Make sure "::", "^:" or ":$" is not left in path arg $1
> ++
> ++   local tmp
> ++   tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
> ++
> ++   [ "$tmp" ] && echo "$tmp"
> ++}
> ++

Please stop introducing that kind of stuff.  This is NOT FIXING
ANYTHING.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 18 Oct 2010 19:24:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 18 Oct 2010 19:24:10 GMT) Full text and rfc822 format available.

Message #35 received at 598309@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: jari.aalto@cante.net, 598305@bugs.debian.org
Cc: 598309@bugs.debian.org, 598286@bugs.debian.org
Subject: Re: Bug#598305: teamspeak-server: NMU diff for 2.0.24.1+debian-1.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 21:21:31 +0200
[Message part 1 (text/plain, inline)]
(CC'ed to #598309 and #598286)

Hello,

> +   # Make sure "::", "^:" or ":$" is not left in path arg $1

Thanks for this extra check. However, I am not sure that it is the
correct way to fix this one. I believe that the bug report means : "do
not add '.' to LD_LIBRARY_PATH, *unless it was there before*". If a
user has explicitly included it, he will expect it not to be silently
cleaned.

Regards

-- 
Etienne Millon
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Wed, 20 Oct 2010 06:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Wed, 20 Oct 2010 06:03:03 GMT) Full text and rfc822 format available.

Message #40 received at 598309@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: 598309@bugs.debian.org
Subject: sponsored NMU uploaded to delayed/2
Date: Tue, 19 Oct 2010 22:58:28 -0700
[Message part 1 (text/plain, inline)]
Notification that an NMU addressing this bug has been uploaded to
delayed/2.  Please contact me if there is a pending maintainer upload
and the NMU should be removed from the queue.

Thank you,
tony

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility. (Fri, 22 Oct 2010 06:21:12 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Fri, 22 Oct 2010 06:21:12 GMT) Full text and rfc822 format available.

Message #45 received at 598309-close@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598309-close@bugs.debian.org
Subject: Bug#598309: fixed in ust 0.7-2.1
Date: Fri, 22 Oct 2010 06:17:16 +0000
Source: ust
Source-Version: 0.7-2.1

We believe that the bug you reported is fixed in the latest version of
ust, which is due to be installed in the Debian FTP archive:

libust-dev_0.7-2.1_i386.deb
  to main/u/ust/libust-dev_0.7-2.1_i386.deb
libust0_0.7-2.1_i386.deb
  to main/u/ust/libust0_0.7-2.1_i386.deb
ust-bin_0.7-2.1_i386.deb
  to main/u/ust/ust-bin_0.7-2.1_i386.deb
ust_0.7-2.1.debian.tar.gz
  to main/u/ust/ust_0.7-2.1.debian.tar.gz
ust_0.7-2.1.dsc
  to main/u/ust/ust_0.7-2.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598309@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <jari.aalto@cante.net> (supplier of updated ust package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 Oct 2010 18:55:42 +0300
Source: ust
Binary: libust0 libust-dev ust-bin
Architecture: source i386
Version: 0.7-2.1
Distribution: unstable
Urgency: high
Maintainer: Jon Bernard <jbernard@debian.org>
Changed-By: Jari Aalto <jari.aalto@cante.net>
Description: 
 libust-dev - LTTng Userspace Tracer (development)
 libust0    - LTTng Userspace Tracer (runtime)
 ust-bin    - LTTng Userspace Tracer (utilities)
Closes: 598309
Changes: 
 ust (0.7-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches
     - (CVE-2010-3386--bug598309): New. Fix LD_LIBRARY_PATH. Initial patch
       idea thanks to Etienne Millon <etienne.millon@gmail.com> (grave,
       security; Closes: #598309).
Checksums-Sha1: 
 917c741ada4ea069bacbcd786661a9658fd20f63 1818 ust_0.7-2.1.dsc
 147d647b578a8dafbcd77d50ada9e0f7a04d0f50 7495 ust_0.7-2.1.debian.tar.gz
 7439b1bd951d681ef5092ef8fe2673d62ebcfe0d 120426 libust0_0.7-2.1_i386.deb
 e55974c99f7c729bf3f0bbc34d4247a3a73cca69 131252 libust-dev_0.7-2.1_i386.deb
 16430476f680a156daef226b357a407d642eb320 36168 ust-bin_0.7-2.1_i386.deb
Checksums-Sha256: 
 ac989a4e5f05ac8bc7026cdf93e791d63658328941301e58dc63c3ed8bef139a 1818 ust_0.7-2.1.dsc
 fcbcda4c2e4101a3ada4d6697b198249739149d4d177638858b5b91841fc9157 7495 ust_0.7-2.1.debian.tar.gz
 0a4daba7e2704cf23610293b8743884905edfe7b6fadced70c0a949f90ba148c 120426 libust0_0.7-2.1_i386.deb
 0b1ca1bfb35d920e27756d07ccf7dfc7fb4a157f3a69858fcf581e52298c0f83 131252 libust-dev_0.7-2.1_i386.deb
 3eda0fae7dc2190cf3acf1a30b1a31b22e1a55d02f2c7eef1ff1bb781439825d 36168 ust-bin_0.7-2.1_i386.deb
Files: 
 8251083abec1879fa58729bf9c6a4a7c 1818 libs extra ust_0.7-2.1.dsc
 54b8b94ddc80604ba18e3020d91691e1 7495 libs extra ust_0.7-2.1.debian.tar.gz
 1cb0578aab98638f60566738d8c4ad3a 120426 libs extra libust0_0.7-2.1_i386.deb
 f923645e8c5f742a4b6456dd75e2f0d8 131252 libdevel extra libust-dev_0.7-2.1_i386.deb
 490bed4b764ebb08e6ece46aeb8930e9 36168 utils extra ust-bin_0.7-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMvoQ3AAoJECHSBYmXSz6Wc+kP/An6Co21wY+dvbTVIrazlmhP
DqGSKTJiWa91id+8puQXj6GlDik80Z9dFOzJmEqXeFKKNyNMDu3QaqYYaV5b9Akp
F654U7NdGhTJY5oxfvaqqV2QUu+LjnEWWCaYw1p3bE7ituBpEW35I4YGbep95ddq
m8FwK7uaNt7YpvK9KVzaWGq0Nw/23TBPuy0Pf2cxdc1Y9QbMBKPdY2VavOEBaMjC
0H9TA+agLsHb9RJcjU4Q+oLt1C72h0RfxmnfJ3qi4QFl7uG62aYpvVXENhHLgane
IIZ953MILthjusDTmPzYXM7i0N30+eP3VdESWUroe8orchK8L3iqK5T46JBAK3kw
kH6B8k0WhIB5PFCsnKlmDaISXbUWiZS8zODw6/6lBd6c0ZpslsctAwNnRSt4NbYo
bJPZ32BNmC+4zAVezYW6my6lOw+NImdKL2e3tjo6g687VbKDA5APw7hUu4O6MGn4
d6na0jm9OYy03gKGwLdyXzK5Sw32tRsdhtjKN2SmjxBKeZmqR+H0c8bgYpJpu5yV
ACXbMaZC9MnePUFhD0R6DhqvsMRim+DCYZYVrueGFSt4vBpoudnEnJRl+sVXFKCg
eeFXfVpSytaTAhi40m5895kYJopmfglG1QU9Mma4pgp9LWZeCXNHfHqT1snHB3A0
dOkuCv+K7dbvClnXicRx
=onzv
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Sat, 23 Oct 2010 13:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Sat, 23 Oct 2010 13:48:03 GMT) Full text and rfc822 format available.

Message #50 received at 598309@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: tony mancill <tmancill@debian.org>, 598309@bugs.debian.org
Subject: Re: Bug#598309: sponsored NMU uploaded to delayed/2
Date: Sat, 23 Oct 2010 15:45:24 +0200
[Message part 1 (text/plain, inline)]
On Tue, Oct 19, 2010 at 22:58:28 -0700, tony mancill wrote:

> Notification that an NMU addressing this bug has been uploaded to
> delayed/2.  Please contact me if there is a pending maintainer upload
> and the NMU should be removed from the queue.
> 
Please don't sponsor NMUs without reading the bug log and the patch.
Thanks in advance.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Sat, 23 Oct 2010 16:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Sat, 23 Oct 2010 16:45:07 GMT) Full text and rfc822 format available.

Message #55 received at 598309@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 598309@bugs.debian.org, jari.aalto@cante.net
Subject: Re: Bug#598309: sponsored NMU uploaded to delayed/2
Date: Sat, 23 Oct 2010 09:40:22 -0700
[Message part 1 (text/plain, inline)]
On 10/23/2010 06:45 AM, Julien Cristau wrote:
> On Tue, Oct 19, 2010 at 22:58:28 -0700, tony mancill wrote:
> 
>> Notification that an NMU addressing this bug has been uploaded to
>> delayed/2.  Please contact me if there is a pending maintainer upload
>> and the NMU should be removed from the queue.
>>
> Please don't sponsor NMUs without reading the bug log and the patch.
> Thanks in advance.
> 
> Cheers,
> Julien

Hi Julien,

I did read the bug log and the patch.  First, there are updates to the bug
report *after* Jon acknowledged the NMU would be okay.  You seem to expect the
NMU operation to be completely atomic with respect to the bug report.  However,
the notification of the NMU being uploaded to delayed was sent on the 19th, so
there was plenty of time for you to respond before the package entered the
archive.  I welcome your feedback, but there's nothing to prevent you from
preparing a subsequent NMU, nor was there nothing preventing you from indicating
that the NMU should be pulled from the queue.

Thank you,
Tony

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Tue, 02 Nov 2010 18:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Tue, 02 Nov 2010 18:12:08 GMT) Full text and rfc822 format available.

Message #60 received at 598309@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: jbernard@debian.org
Cc: Julien Cristau <jcristau@debian.org>, 598309@bugs.debian.org, jari.aalto@cante.net
Subject: Re: Bug#598309: sponsored NMU uploaded to delayed/2
Date: Tue, 2 Nov 2010 19:09:14 +0100
On Sat, Oct 23, 2010 at 09:40:22AM -0700, tony mancill wrote:
> On 10/23/2010 06:45 AM, Julien Cristau wrote:
> > On Tue, Oct 19, 2010 at 22:58:28 -0700, tony mancill wrote:
> > 
> >> Notification that an NMU addressing this bug has been uploaded to
> >> delayed/2.  Please contact me if there is a pending maintainer upload
> >> and the NMU should be removed from the queue.
> >>
> > Please don't sponsor NMUs without reading the bug log and the patch.
> > Thanks in advance.
> > 
> > Cheers,
> > Julien
> 
> Hi Julien,
> 
> I did read the bug log and the patch.  First, there are updates to the bug
> report *after* Jon acknowledged the NMU would be okay.  You seem to expect the
> NMU operation to be completely atomic with respect to the bug report.  However,
> the notification of the NMU being uploaded to delayed was sent on the 19th, so
> there was plenty of time for you to respond before the package entered the
> archive.  I welcome your feedback, but there's nothing to prevent you from
> preparing a subsequent NMU, nor was there nothing preventing you from indicating
> that the NMU should be pulled from the queue.

Jon,
So far this has only been fixed in unstable, but we also need a
targeted fix for testing/Squeeze, see the mail below from a release
manager.

Cheers,
        Moritz

--------------------------------------------------------------------
Newsgroups: linux.debian.devel.release
From: Julien Cristau 
Date: Sat, 23 Oct 2010 15:20:01 +0200
Subject: Re: Security unblock requests

On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> More unblock requests:
> ust/0.7-2.1 -> CVE-2010-3386

 52 files changed, 3116 insertions(+), 1232 deletions(-)
 
 I'd prefer a targetted tpu fix rather than a new upstream.
--------------------------------------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Tue, 02 Nov 2010 23:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Tue, 02 Nov 2010 23:09:06 GMT) Full text and rfc822 format available.

Message #65 received at 598309@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
Cc: 598309@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Security unblock requests (ust/0.7-2.1)
Date: Wed, 03 Nov 2010 01:06:24 +0200
The following message is a courtesy copy of an article
that has been posted to gmane.linux.debian.devel.release as well.

> Julien Cristau <jcristau@debian.org> writes:
| Newsgroups: gmane.linux.debian.devel.release
| Subject: Re: Security unblock requests
| Date: Sat, 23 Oct 2010 15:13:20 +0200
| Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
|
> On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
>
>> More unblock requests:
>> ust/0.7-2.1 -> CVE-2010-3386
>
>  52 files changed, 3116 insertions(+), 1232 deletions(-)

Need more information. Local check:

    $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
    ust-0.7/debian/changelog
    ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
    ust-0.7/debian/patches/series

    $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
    50

Jari




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Tue, 02 Nov 2010 23:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Tue, 02 Nov 2010 23:12:05 GMT) Full text and rfc822 format available.

Message #70 received at 598309@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Jari Aalto <jari.aalto@cante.net>
Cc: debian-release@lists.debian.org, 598309@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Security unblock requests (ust/0.7-2.1)
Date: Wed, 3 Nov 2010 00:09:20 +0100
[Message part 1 (text/plain, inline)]
On Wed, Nov  3, 2010 at 01:06:24 +0200, Jari Aalto wrote:

> > Julien Cristau <jcristau@debian.org> writes:
> | Newsgroups: gmane.linux.debian.devel.release
> | Subject: Re: Security unblock requests
> | Date: Sat, 23 Oct 2010 15:13:20 +0200
> | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> |
> > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> >
> >> More unblock requests:
> >> ust/0.7-2.1 -> CVE-2010-3386
> >
> >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> 
> Need more information. Local check:
> 
>     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
>     ust-0.7/debian/changelog
>     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
>     ust-0.7/debian/patches/series
> 
>     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
>     50
> 
You're not looking at the same base version:

       ust |      0.5-1 |       testing | source

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Mon, 15 Nov 2010 18:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Mon, 15 Nov 2010 18:51:03 GMT) Full text and rfc822 format available.

Message #75 received at 598309@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: jbernard@debian.org
Cc: 598309@bugs.debian.org, Jari Aalto <jari.aalto@cante.net>
Subject: Re: Security unblock requests (ust/0.7-2.1)
Date: Mon, 15 Nov 2010 19:47:14 +0100
On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> The following message is a courtesy copy of an article
> that has been posted to gmane.linux.debian.devel.release as well.
> 
> > Julien Cristau <jcristau@debian.org> writes:
> | Newsgroups: gmane.linux.debian.devel.release
> | Subject: Re: Security unblock requests
> | Date: Sat, 23 Oct 2010 15:13:20 +0200
> | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> |
> > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> >
> >> More unblock requests:
> >> ust/0.7-2.1 -> CVE-2010-3386
> >
> >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> 
> Need more information. Local check:
> 
>     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
>     ust-0.7/debian/changelog
>     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
>     ust-0.7/debian/patches/series
> 
>     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
>     50

What is the status? This is still unfixed in Squeeze.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598309; Package ust-bin. (Mon, 15 Nov 2010 22:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Bernard <jbernard@debian.org>:
Extra info received and forwarded to list. (Mon, 15 Nov 2010 22:21:06 GMT) Full text and rfc822 format available.

Message #80 received at 598309@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 598309@bugs.debian.org
Cc: Jari Aalto <jari.aalto@cante.net>
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Mon, 15 Nov 2010 17:13:22 -0500
* Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> > The following message is a courtesy copy of an article
> > that has been posted to gmane.linux.debian.devel.release as well.
> > 
> > > Julien Cristau <jcristau@debian.org> writes:
> > | Newsgroups: gmane.linux.debian.devel.release
> > | Subject: Re: Security unblock requests
> > | Date: Sat, 23 Oct 2010 15:13:20 +0200
> > | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> > |
> > > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> > >
> > >> More unblock requests:
> > >> ust/0.7-2.1 -> CVE-2010-3386
> > >
> > >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> > 
> > Need more information. Local check:
> > 
> >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
> >     ust-0.7/debian/changelog
> >     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
> >     ust-0.7/debian/patches/series
> > 
> >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
> >     50
> 
> What is the status? This is still unfixed in Squeeze.

Hi Moritz, sorry for the delay. I would prefer to backport the upstream
patch for this bug and create a security update for the version in
squeeze (version 0.5-1).

I belive this is the correct thing to do, but I have never dealt with
a security issue in one of my packages going into a release, so I'm
a bit nervous about what to do.

What is your suggestion on how to proceed?

-- 
Jon




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598309; Package ust-bin. (Tue, 16 Nov 2010 15:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Bernard <jbernard@debian.org>:
Extra info received and forwarded to list. (Tue, 16 Nov 2010 15:09:03 GMT) Full text and rfc822 format available.

Message #85 received at 598309@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 598309@bugs.debian.org
Cc: Jari Aalto <jari.aalto@cante.net>
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Tue, 16 Nov 2010 10:08:05 -0500
* Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> > The following message is a courtesy copy of an article
> > that has been posted to gmane.linux.debian.devel.release as well.
> > 
> > > Julien Cristau <jcristau@debian.org> writes:
> > | Newsgroups: gmane.linux.debian.devel.release
> > | Subject: Re: Security unblock requests
> > | Date: Sat, 23 Oct 2010 15:13:20 +0200
> > | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> > |
> > > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> > >
> > >> More unblock requests:
> > >> ust/0.7-2.1 -> CVE-2010-3386
> > >
> > >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> > 
> > Need more information. Local check:
> > 
> >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
> >     ust-0.7/debian/changelog
> >     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
> >     ust-0.7/debian/patches/series
> > 
> >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
> >     50
> 
> What is the status? This is still unfixed in Squeeze.

For reference, the patch that went into upstream can be found here:

    http://lists.casi.polymtl.ca/pipermail/ltt-dev/2010-September/003328.html

-- 
Jon




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Wed, 17 Nov 2010 20:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Wed, 17 Nov 2010 20:54:02 GMT) Full text and rfc822 format available.

Message #90 received at 598309@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jon Bernard <jbernard@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 598309@bugs.debian.org, Jari Aalto <jari.aalto@cante.net>
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Wed, 17 Nov 2010 21:51:09 +0100
On Mon, Nov 15, 2010 at 05:13:22PM -0500, Jon Bernard wrote:
> * Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> > > The following message is a courtesy copy of an article
> > > that has been posted to gmane.linux.debian.devel.release as well.
> > > 
> > > > Julien Cristau <jcristau@debian.org> writes:
> > > | Newsgroups: gmane.linux.debian.devel.release
> > > | Subject: Re: Security unblock requests
> > > | Date: Sat, 23 Oct 2010 15:13:20 +0200
> > > | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> > > |
> > > > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> > > >
> > > >> More unblock requests:
> > > >> ust/0.7-2.1 -> CVE-2010-3386
> > > >
> > > >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> > > 
> > > Need more information. Local check:
> > > 
> > >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
> > >     ust-0.7/debian/changelog
> > >     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
> > >     ust-0.7/debian/patches/series
> > > 
> > >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
> > >     50
> > 
> > What is the status? This is still unfixed in Squeeze.
> 
> Hi Moritz, sorry for the delay. I would prefer to backport the upstream
> patch for this bug and create a security update for the version in
> squeeze (version 0.5-1).
> 
> I belive this is the correct thing to do, but I have never dealt with
> a security issue in one of my packages going into a release, so I'm
> a bit nervous about what to do.
> 
> What is your suggestion on how to proceed?

- Create a Squeeze chroot or use a Squeeze installation
- apt-get source ust
- Apply the patch you've referenced
- Set the version to number to "0.5-1+squeeze1" and the "distribution" to "testing"
- Build and test
- Send the debdiff to this bug and CC debian-release@lists.debian.org for review
- Once acked by them, upload
- Rejoice 

Cheers,
        Moritz














Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598309; Package ust-bin. (Wed, 01 Dec 2010 16:54:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Bernard <jbernard@debian.org>:
Extra info received and forwarded to list. (Wed, 01 Dec 2010 16:54:13 GMT) Full text and rfc822 format available.

Message #95 received at 598309@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 598309@bugs.debian.org, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Wed, 1 Dec 2010 11:52:00 -0500
[Message part 1 (text/plain, inline)]
* Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Mon, Nov 15, 2010 at 05:13:22PM -0500, Jon Bernard wrote:
> > * Moritz Muehlenhoff <jmm@inutil.org> wrote:
> > > On Wed, Nov 03, 2010 at 01:06:24AM +0200, Jari Aalto wrote:
> > > > The following message is a courtesy copy of an article
> > > > that has been posted to gmane.linux.debian.devel.release as well.
> > > > 
> > > > > Julien Cristau <jcristau@debian.org> writes:
> > > > | Newsgroups: gmane.linux.debian.devel.release
> > > > | Subject: Re: Security unblock requests
> > > > | Date: Sat, 23 Oct 2010 15:13:20 +0200
> > > > | Message-ID: <20101023131320.GS3167@radis.liafa.jussieu.fr>
> > > > |
> > > > > On Sat, Oct 23, 2010 at 14:37:20 +0200, Moritz Muehlenhoff wrote:
> > > > >
> > > > >> More unblock requests:
> > > > >> ust/0.7-2.1 -> CVE-2010-3386
> > > > >
> > > > >  52 files changed, 3116 insertions(+), 1232 deletions(-)
> > > > 
> > > > Need more information. Local check:
> > > > 
> > > >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | lsdiff
> > > >     ust-0.7/debian/changelog
> > > >     ust-0.7/debian/patches/CVE-2010-3386--bug598309.diff
> > > >     ust-0.7/debian/patches/series
> > > > 
> > > >     $ debdiff ../build-area/ust_0.7-2.dsc ../build-area/ust_0.7-2.1.dsc | filterdiff -x '*changelog' | wc -l
> > > >     50
> > > 
> > > What is the status? This is still unfixed in Squeeze.
> > 
> > Hi Moritz, sorry for the delay. I would prefer to backport the upstream
> > patch for this bug and create a security update for the version in
> > squeeze (version 0.5-1).
> > 
> > I belive this is the correct thing to do, but I have never dealt with
> > a security issue in one of my packages going into a release, so I'm
> > a bit nervous about what to do.
> > 
> > What is your suggestion on how to proceed?
> 
> - Create a Squeeze chroot or use a Squeeze installation
> - apt-get source ust
> - Apply the patch you've referenced
> - Set the version to number to "0.5-1+squeeze1" and the "distribution" to "testing"
> - Build and test
> - Send the debdiff to this bug and CC debian-release@lists.debian.org for review
> - Once acked by them, upload
> - Rejoice 

I propose the attached patch for the ust package in squeeze to resolve
this bug. This patch has been prepared for the current version in
squeeze, please let me know what you think. If all looks well, I will
upload.

Cheers

-- 
Jon
[ust_0.5-1--0.5-1+squeeze1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Wed, 01 Dec 2010 17:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Wed, 01 Dec 2010 17:09:06 GMT) Full text and rfc822 format available.

Message #100 received at 598309@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 598309@bugs.debian.org, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Wed, 1 Dec 2010 18:07:41 +0100
[Message part 1 (text/plain, inline)]
On Wed, Dec  1, 2010 at 11:52:00 -0500, Jon Bernard wrote:

> diff -Nru ust-0.5/debian/changelog ust-0.5/debian/changelog
> --- ust-0.5/debian/changelog	2010-07-02 11:34:52.000000000 -0400
> +++ ust-0.5/debian/changelog	2010-11-30 21:23:43.000000000 -0500
> @@ -1,3 +1,9 @@
> +ust (0.5-1+squeeze1) testing; urgency=low
> +
> +  * Backport upstream fix for CVE-2010-3386 (Bug #598309)

You should close the bug in the changelog.

> +
> + -- Jon Bernard <jbernard@debian.org>  Tue, 30 Nov 2010 21:21:25 -0500
> +
>  ust (0.5-1) unstable; urgency=low
>  
>    * [79cd16] Imported Upstream version 0.5
> diff -Nru ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
> --- ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	1969-12-31 19:00:00.000000000 -0500
> +++ ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	2010-11-30 21:23:43.000000000 -0500
> @@ -0,0 +1,84 @@
> +From: Jon Bernard <jbernard@debian.org>
> +Date: Tue, 30 Nov 2010 13:40:04 -0500
> +Subject: [PATCH] Backport upstream fix for CVE-2010-3386 (Bug #598309)
> +
> +When there's an empty item on the colon-separated list of
> +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given
> +script (usttrace) is executed from a directory where a potential, local,
> +attacker can write files to, there's a chance to exploit this bug.
> +
> +This patch was applied upstream in version 0.8.
> +---
> + usttrace |   47 +++++++++++++++++++++++++++++++++++++----------
> + 1 files changed, 37 insertions(+), 10 deletions(-)
> +
> +diff --git a/usttrace b/usttrace
> +index dc159f2..5fdb52f 100755
> +--- a/usttrace
> ++++ b/usttrace
> +@@ -132,27 +132,54 @@ fi
> + 
> +     if [ "$arg_preload_libust" = "1" ];
> +     then
> +-	if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	if [ -n "${LIBUST_PATH%libust.so}" ];
> ++	then
> ++		if [ -n "$LD_LIBRARY_PATH" ];
> ++		then
> ++			export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++		else
> ++			export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> ++		fi
> ++	fi
> ++	if [ -n "$LIBUST_PATH" ];
> ++	then
> ++		if [ -n "$LD_PRELOAD" ];
> ++		then
> ++			export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> ++		else
> ++			export LD_PRELOAD="$LIBUST_PATH"
> ++		fi
> + 	fi
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> +     fi
> + 
> +-    if [ "$arg_ld_std_ust" = "1" ];
> ++    if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
> +     then
> +-	if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	if [ -n "$LD_LIBRARY_PATH" ];
> ++	then
> ++		export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	else
> ++		export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> + 	fi
> +     fi
> + 
> +-    if [ "$arg_preload_malloc" = "1" ];
> ++    if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
> +     then
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> ++	if [ -n "$LD_PRELOAD" ];
> ++	then
> ++		export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> ++	else
> ++		export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> ++	fi
> +     fi
> + 
> +-    if [ "$arg_preload_fork" = "1" ];
> ++    if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
> +     then
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> ++	if [ -n "$LD_PRELOAD" ];
> ++	then
> ++		export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> ++	else
> ++		export LD_PRELOAD="$LIBINTERFORK_PATH"
> ++	fi
> +     fi
> + 
> + # Execute the command
> +-- 

The patch seems overly complicated, but I guess if that's what upstream
went with it's ok...
(e.g. LIBUST_PATH, LIBINTERFORK_PATH and LIBMALLOCWRAP_PATH can never be
empty, as far as I can tell)

> diff -Nru ust-0.5/debian/patches/series ust-0.5/debian/patches/series
> --- ust-0.5/debian/patches/series	2010-07-02 11:34:52.000000000 -0400
> +++ ust-0.5/debian/patches/series	2010-11-30 21:23:43.000000000 -0500
> @@ -1 +1,2 @@
> +0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
>  info-dir-section.diff

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598309; Package ust-bin. (Wed, 01 Dec 2010 17:39:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Bernard <jbernard@debian.org>:
Extra info received and forwarded to list. (Wed, 01 Dec 2010 17:39:11 GMT) Full text and rfc822 format available.

Message #105 received at 598309@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: Julien Cristau <jcristau@debian.org>, 598309@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Wed, 1 Dec 2010 12:35:00 -0500
* Julien Cristau <jcristau@debian.org> wrote:
> On Wed, Dec  1, 2010 at 11:52:00 -0500, Jon Bernard wrote:
> 
> > diff -Nru ust-0.5/debian/changelog ust-0.5/debian/changelog
> > --- ust-0.5/debian/changelog	2010-07-02 11:34:52.000000000 -0400
> > +++ ust-0.5/debian/changelog	2010-11-30 21:23:43.000000000 -0500
> > @@ -1,3 +1,9 @@
> > +ust (0.5-1+squeeze1) testing; urgency=low
> > +
> > +  * Backport upstream fix for CVE-2010-3386 (Bug #598309)
> 
> You should close the bug in the changelog.

Good call, I'll s/Bug/Closes:/ in the upload.

> > +
> > + -- Jon Bernard <jbernard@debian.org>  Tue, 30 Nov 2010 21:21:25 -0500
> > +
> >  ust (0.5-1) unstable; urgency=low
> >  
> >    * [79cd16] Imported Upstream version 0.5
> > diff -Nru ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
> > --- ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	1969-12-31 19:00:00.000000000 -0500
> > +++ ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	2010-11-30 21:23:43.000000000 -0500
> > @@ -0,0 +1,84 @@
> > +From: Jon Bernard <jbernard@debian.org>
> > +Date: Tue, 30 Nov 2010 13:40:04 -0500
> > +Subject: [PATCH] Backport upstream fix for CVE-2010-3386 (Bug #598309)
> > +
> > +When there's an empty item on the colon-separated list of
> > +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given
> > +script (usttrace) is executed from a directory where a potential, local,
> > +attacker can write files to, there's a chance to exploit this bug.
> > +
> > +This patch was applied upstream in version 0.8.
> > +---
> > + usttrace |   47 +++++++++++++++++++++++++++++++++++++----------
> > + 1 files changed, 37 insertions(+), 10 deletions(-)
> > +
> > +diff --git a/usttrace b/usttrace
> > +index dc159f2..5fdb52f 100755
> > +--- a/usttrace
> > ++++ b/usttrace
> > +@@ -132,27 +132,54 @@ fi
> > + 
> > +     if [ "$arg_preload_libust" = "1" ];
> > +     then
> > +-	if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> > +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	if [ -n "${LIBUST_PATH%libust.so}" ];
> > ++	then
> > ++		if [ -n "$LD_LIBRARY_PATH" ];
> > ++		then
> > ++			export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++		else
> > ++			export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> > ++		fi
> > ++	fi
> > ++	if [ -n "$LIBUST_PATH" ];
> > ++	then
> > ++		if [ -n "$LD_PRELOAD" ];
> > ++		then
> > ++			export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> > ++		else
> > ++			export LD_PRELOAD="$LIBUST_PATH"
> > ++		fi
> > + 	fi
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> > +     fi
> > + 
> > +-    if [ "$arg_ld_std_ust" = "1" ];
> > ++    if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
> > +     then
> > +-	if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> > +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	if [ -n "$LD_LIBRARY_PATH" ];
> > ++	then
> > ++		export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	else
> > ++		export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> > + 	fi
> > +     fi
> > + 
> > +-    if [ "$arg_preload_malloc" = "1" ];
> > ++    if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
> > +     then
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> > ++	if [ -n "$LD_PRELOAD" ];
> > ++	then
> > ++		export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> > ++	else
> > ++		export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> > ++	fi
> > +     fi
> > + 
> > +-    if [ "$arg_preload_fork" = "1" ];
> > ++    if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
> > +     then
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> > ++	if [ -n "$LD_PRELOAD" ];
> > ++	then
> > ++		export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> > ++	else
> > ++		export LD_PRELOAD="$LIBINTERFORK_PATH"
> > ++	fi
> > +     fi
> > + 
> > + # Execute the command
> > +-- 
> 
> The patch seems overly complicated, but I guess if that's what upstream
> went with it's ok...
> (e.g. LIBUST_PATH, LIBINTERFORK_PATH and LIBMALLOCWRAP_PATH can never be
> empty, as far as I can tell)

Yes, I agree. My thinking is that if another issue arises with the
package, at least it will contain code that upstream is familiar with.

Otherwise, no objections to upload?

-- 
Jon




Information forwarded to debian-bugs-dist@lists.debian.org, Jon Bernard <jbernard@debian.org>:
Bug#598309; Package ust-bin. (Wed, 01 Dec 2010 18:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jon Bernard <jbernard@debian.org>. (Wed, 01 Dec 2010 18:18:06 GMT) Full text and rfc822 format available.

Message #110 received at 598309@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 598309@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Date: Wed, 1 Dec 2010 19:14:32 +0100
[Message part 1 (text/plain, inline)]
On Wed, Dec  1, 2010 at 12:35:00 -0500, Jon Bernard wrote:

> Otherwise, no objections to upload?
> 
Please go ahead, thanks.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jon Bernard <jbernard@debian.org>:
You have taken responsibility. (Thu, 02 Dec 2010 00:36:03 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Thu, 02 Dec 2010 00:36:03 GMT) Full text and rfc822 format available.

Message #115 received at 598309-close@bugs.debian.org (full text, mbox):

From: Jon Bernard <jbernard@debian.org>
To: 598309-close@bugs.debian.org
Subject: Bug#598309: fixed in ust 0.5-1+squeeze1
Date: Thu, 02 Dec 2010 00:33:31 +0000
Source: ust
Source-Version: 0.5-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
ust, which is due to be installed in the Debian FTP archive:

libust-dev_0.5-1+squeeze1_amd64.deb
  to main/u/ust/libust-dev_0.5-1+squeeze1_amd64.deb
libust0_0.5-1+squeeze1_amd64.deb
  to main/u/ust/libust0_0.5-1+squeeze1_amd64.deb
ust-bin_0.5-1+squeeze1_amd64.deb
  to main/u/ust/ust-bin_0.5-1+squeeze1_amd64.deb
ust_0.5-1+squeeze1.debian.tar.gz
  to main/u/ust/ust_0.5-1+squeeze1.debian.tar.gz
ust_0.5-1+squeeze1.dsc
  to main/u/ust/ust_0.5-1+squeeze1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598309@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jon Bernard <jbernard@debian.org> (supplier of updated ust package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Dec 2010 19:10:09 -0500
Source: ust
Binary: libust0 libust-dev ust-bin
Architecture: source amd64
Version: 0.5-1+squeeze1
Distribution: testing
Urgency: low
Maintainer: Jon Bernard <jbernard@debian.org>
Changed-By: Jon Bernard <jbernard@debian.org>
Description: 
 libust-dev - LTTng Userspace Tracer (development)
 libust0    - LTTng Userspace Tracer (runtime)
 ust-bin    - LTTng Userspace Tracer (utilities)
Closes: 598309
Changes: 
 ust (0.5-1+squeeze1) testing; urgency=low
 .
   * [893a2e] Backport upstream fix for CVE-2010-3386 (Closes: #598309)
Checksums-Sha1: 
 5a71ef7d1d3311ff4d9981cdfee4291feb24cd08 1207 ust_0.5-1+squeeze1.dsc
 67d33202f7eeb9ee81bed69721ff35c25120f167 7064 ust_0.5-1+squeeze1.debian.tar.gz
 21ccb497a082e1afda7113dfebb1f44bb17b12d0 92440 libust0_0.5-1+squeeze1_amd64.deb
 44dbce9cc22c75ffa0f436502eba8f7b6544922b 104230 libust-dev_0.5-1+squeeze1_amd64.deb
 79860d134ab4062906b2cb2be5081fd43e8592be 56366 ust-bin_0.5-1+squeeze1_amd64.deb
Checksums-Sha256: 
 149b746ad54a0744dbe0b9d37022de9ae63831235f4cb84b76f9a3357e3b50b6 1207 ust_0.5-1+squeeze1.dsc
 d9e672232f3a63004be1ce3df8d23a188ac4cdb7564a45e9406dc69a2cf05947 7064 ust_0.5-1+squeeze1.debian.tar.gz
 ba03277e19656052c3ee4d686928ea8f362a3d73205d0f8d704e67df95beea79 92440 libust0_0.5-1+squeeze1_amd64.deb
 1ff928f9c672bc9cbd87ce92d262b3185426c66b703201013eba32312c79d83c 104230 libust-dev_0.5-1+squeeze1_amd64.deb
 695f52c625d72fd3e68c148a8b527660c61a1dbd0f153db22cfe7fdff8fb61ed 56366 ust-bin_0.5-1+squeeze1_amd64.deb
Files: 
 cfca6a23b8110d29bd75efd239abb1ba 1207 libs extra ust_0.5-1+squeeze1.dsc
 b45f7da587772206bbe040388734eb14 7064 libs extra ust_0.5-1+squeeze1.debian.tar.gz
 0246ce02d7345ac83a44e149e0a1fe0c 92440 libs extra libust0_0.5-1+squeeze1_amd64.deb
 4d9168a655e877c6ee60a1e263cc703e 104230 libdevel extra libust-dev_0.5-1+squeeze1_amd64.deb
 da7c5ee4a3a66083378e1cb1aec3b68a 56366 utils extra ust-bin_0.5-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkz25aAACgkQwAT2A1kSwn7eBQCeKFMPpWmQ7uMQDHC7L9a9IGx3
8+EAn3OpGOHyEhCMwYaLRXhnl3vh4OtG
=uwmI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 30 Dec 2010 07:31:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:28:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.