Debian Bug report logs - #598418
libmagics++-dev: CVE-2010-3393: insecure library loading

version graph

Package: libmagics++-dev; Maintainer for libmagics++-dev is Alastair McKinstry <mckinstry@debian.org>; Source for libmagics++-dev is src:magics++.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 21:09:01 UTC

Severity: important

Tags: patch, security

Found in version magics++/2.10.0.dfsg-4

Fixed in version magics++/2.10.0.dfsg-5.1

Done: Jari Aalto <jari.aalto@cante.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Tue, 28 Sep 2010 21:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Tue, 28 Sep 2010 21:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: libmagics++-dev: CVE-2010-3393: insecure library loading
Date: Tue, 28 Sep 2010 21:06:49 +0000
Package: libmagics++-dev
Version: 2.10.0.dfsg-4
Severity: important
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/magics-config line 105:
		echo "   export LD_LIBRARY_PATH=${prefix}/lib:\$LD_LIBRARY_PATH"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

While magics-config itself is not vulnerable, the generated code is.

This vulnerability has been assigned the CVE id CVE-2010-3393. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3393
[1] http://security-tracker.debian.org/tracker/CVE-2010-3393

Sincerely,
Raphael Geissert




Reply sent to Alastair McKinstry <mckinstry@debian.org>:
You have taken responsibility. (Wed, 29 Sep 2010 16:18:08 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2010 16:18:08 GMT) Full text and rfc822 format available.

Message #10 received at 598418-close@bugs.debian.org (full text, mbox):

From: Alastair McKinstry <mckinstry@debian.org>
To: 598418-close@bugs.debian.org
Subject: Bug#598418: fixed in magics++ 2.10.0.dfsg-5
Date: Wed, 29 Sep 2010 16:17:22 +0000
Source: magics++
Source-Version: 2.10.0.dfsg-5

We believe that the bug you reported is fixed in the latest version of
magics++, which is due to be installed in the Debian FTP archive:

libmagics++-data_2.10.0.dfsg-5_all.deb
  to main/m/magics++/libmagics++-data_2.10.0.dfsg-5_all.deb
libmagics++-dev_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/libmagics++-dev_2.10.0.dfsg-5_i386.deb
libmagplus3_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/libmagplus3_2.10.0.dfsg-5_i386.deb
magics++_2.10.0.dfsg-5.debian.tar.gz
  to main/m/magics++/magics++_2.10.0.dfsg-5.debian.tar.gz
magics++_2.10.0.dfsg-5.dsc
  to main/m/magics++/magics++_2.10.0.dfsg-5.dsc
magics++_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/magics++_2.10.0.dfsg-5_i386.deb
python-magics++_2.10.0.dfsg-5_i386.deb
  to main/m/magics++/python-magics++_2.10.0.dfsg-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated magics++ package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Sep 2010 12:43:09 +0100
Source: magics++
Binary: libmagplus3 libmagics++-dev magics++ python-magics++ libmagics++-data
Architecture: source all i386
Version: 2.10.0.dfsg-5
Distribution: unstable
Urgency: low
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Description: 
 libmagics++-data - Data files needed for magics++ library
 libmagics++-dev - Development files for ECMWF  plotting software MAGICS++
 libmagplus3 - ECMWF meteorological plotting software library
 magics++   - Executables for the magics++ library
 python-magics++ - python support for Magics++
Closes: 598418
Changes: 
 magics++ (2.10.0.dfsg-5) unstable; urgency=low
 .
   * CVE-2010-3393: Fix LD_LIBRARY_PATH edit. Closes: #598418.
Checksums-Sha1: 
 b0e25ba2131f6a02a6846f9bcd1cc54ac3a6d2b5 1488 magics++_2.10.0.dfsg-5.dsc
 17b714a685541ed898f39afdb9377c8a953e1473 904831 magics++_2.10.0.dfsg-5.debian.tar.gz
 4dcf66c01d8dc0415f30719e334ba2f66539ccdf 4066910 libmagics++-data_2.10.0.dfsg-5_all.deb
 84322918720a69eaf860ef9f9e6819fa7e49f266 2684062 libmagplus3_2.10.0.dfsg-5_i386.deb
 e3072055479bc07f52714b4f99adaaab6af3846f 7574542 libmagics++-dev_2.10.0.dfsg-5_i386.deb
 863a7b3478b2f92a6cbd38df099fe3cf56724ae5 18722 magics++_2.10.0.dfsg-5_i386.deb
 ddbb310b96e8518ddecbbf0f6d2463b7e7104d50 38362 python-magics++_2.10.0.dfsg-5_i386.deb
Checksums-Sha256: 
 98d43d0e56fa1c40e5b41110650929b7344ab65d078dccf65e844e926e090b71 1488 magics++_2.10.0.dfsg-5.dsc
 3015019c1e8d4aeaecb2053d36d6b923e04e3237793533ba974fb1ccbf58081d 904831 magics++_2.10.0.dfsg-5.debian.tar.gz
 9da346e276e507db35bbb6f1f30a97266c2b0cd8a4dae9add69dc31c51a8b05b 4066910 libmagics++-data_2.10.0.dfsg-5_all.deb
 c15da993b037905196543f04422ed8140162a2fd75000a7e08bfd511d3e61493 2684062 libmagplus3_2.10.0.dfsg-5_i386.deb
 17b0c138a17e61c42ee366cedc3d442503f9a47277c93c33e89af022731bcb68 7574542 libmagics++-dev_2.10.0.dfsg-5_i386.deb
 f9754426e263374c78a3df24237da1e5c58bcd30657f90a3297970a9b3d17f81 18722 magics++_2.10.0.dfsg-5_i386.deb
 4ffbde0711482b9f07bf73c3d9c1b8e89e5f9ea766fe9de606fdafe216aa6974 38362 python-magics++_2.10.0.dfsg-5_i386.deb
Files: 
 16c742acc09eec579a57bc7306348054 1488 utils optional magics++_2.10.0.dfsg-5.dsc
 a9a980368dbadf7a31657ebd7645410a 904831 utils optional magics++_2.10.0.dfsg-5.debian.tar.gz
 220438a6837a6deac64350ceccd117fa 4066910 utils optional libmagics++-data_2.10.0.dfsg-5_all.deb
 1f9db235fa1a1d0958602541f3416802 2684062 libs optional libmagplus3_2.10.0.dfsg-5_i386.deb
 d0798050bccf0c502cebaf2ee9c7ba49 7574542 libdevel optional libmagics++-dev_2.10.0.dfsg-5_i386.deb
 40a0ace35f691ce48a1be6abccd8a6c7 18722 utils optional magics++_2.10.0.dfsg-5_i386.deb
 83ce25d23034dbaf5620588c15cb206e 38362 python optional python-magics++_2.10.0.dfsg-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyfPrcACgkQQTK/kCo4XFexUwCgt9e/yza0PQD15PMwsrM1QqT8
9IIAnic430Oje2Oa0RxMs/ZpVIo2Fmyn
=KHIR
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Thu, 30 Sep 2010 00:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Thu, 30 Sep 2010 00:03:06 GMT) Full text and rfc822 format available.

Message #15 received at 598418@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 598418@bugs.debian.org
Subject: Re: Bug#598418 closed by Alastair McKinstry <mckinstry@debian.org> (Bug#598418: fixed in magics++ 2.10.0.dfsg-5)
Date: Wed, 29 Sep 2010 18:59:37 -0500
Hi,

On 29 September 2010 11:18, Debian Bug Tracking System
<owner@bugs.debian.org> wrote:
> Closes: 598418
> Changes:
>  magics++ (2.10.0.dfsg-5) unstable; urgency=low
>  .
>   * CVE-2010-3393: Fix LD_LIBRARY_PATH edit. Closes: #598418.

> FFLAGS="@FFLAGS@"
> CPPLIBS="@CPPLIBS@"
>-python="@MAGICS_PYTHON@"
> py_dir="@PYTHON_SITE_PACKAGES_DIR@"

I don't think that was intentional, was it?

>+if test -h ${LD_LIBRARY_PATH}; then
>+     ldlib=${prefix}/lib
>+else
>+     ldlib=${prefix}/lib:${LD_LIBRARY_PATH}
>+fi

I don't get it, why are you using -h? LD_LIBRARY_PATH may contain one
directory or a colon-separated list of them.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Bug No longer marked as fixed in versions magics++/2.10.0.dfsg-5 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 06 Oct 2010 13:00:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Sat, 16 Oct 2010 17:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to jari.aalto@cante.net:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Sat, 16 Oct 2010 17:48:06 GMT) Full text and rfc822 format available.

Message #22 received at 598418@bugs.debian.org (full text, mbox):

From: jari.aalto@cante.net
To: 598418@bugs.debian.org, 598418-submitter@bugs.debian.org
Subject: Bug#598418 magics++: NMU diff for 2.10.0.dfsg-5.1
Date: Sat, 16 Oct 2010 20:44:31 +0300
[Message part 1 (text/plain, inline)]
Dear maintainer,

Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598418.
See the debian/patches directory for the important fixes.

Let me know if it's ok to proceed with the NMU.

Thank you for maintaining the package,
Jari Aalto

[1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
[2] http://dep.debian.net/deps/dep1.html

lsdiff(1) of changes:

    magics++-2.10.0.dfsg/debian/changelog
    magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch

[magics++_2.10.0.dfsg-5--2.10.0.dfsg-5.1.deb.diff (text/x-diff, inline)]
diffstat for magics++-2.10.0.dfsg magics++-2.10.0.dfsg

 changelog                   |    9 ++++++++
 patches/cve-2010-3393.patch |   46 ++++++++++++++++++++++++--------------------
 2 files changed, 35 insertions(+), 20 deletions(-)

diff -Nru magics++-2.10.0.dfsg/debian/changelog magics++-2.10.0.dfsg/debian/changelog
--- magics++-2.10.0.dfsg/debian/changelog	2010-09-26 14:44:25.000000000 +0300
+++ magics++-2.10.0.dfsg/debian/changelog	2010-10-16 19:56:10.000000000 +0300
@@ -1,3 +1,12 @@
+magics++ (2.10.0.dfsg-5.1) unstable; urgency=low
+
+  * debian/patches
+    - (cve-2010-3393): Refresh patch. Restore deleted line
+      'python="@MAGICS_PYTHON@"' and adjust treatment of LD_LIBRARY_PATH.
+      See reopened bug for details. (Closes: #598418).
+
+ -- Jari Aalto <jari.aalto@cante.net>  Sat, 16 Oct 2010 19:56:10 +0300
+
 magics++ (2.10.0.dfsg-5) unstable; urgency=low
 
   * CVE-2010-3393: Fix LD_LIBRARY_PATH edit. Closes: #598418. 
diff -Nru magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch
--- magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch	2010-09-26 14:42:47.000000000 +0300
+++ magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch	2010-10-16 19:52:41.000000000 +0300
@@ -1,30 +1,33 @@
-Index: magics++-2.10.0.dfsg/magics-config.in
-===================================================================
---- magics++-2.10.0.dfsg.orig/magics-config.in	2010-09-26 12:42:02.000000000 +0100
-+++ magics++-2.10.0.dfsg/magics-config.in	2010-09-26 12:42:42.000000000 +0100
-@@ -9,7 +9,6 @@
- AXX="@AXX@"
- FFLAGS="@FFLAGS@"
- CPPLIBS="@CPPLIBS@"
--python="@MAGICS_PYTHON@"
- py_dir="@PYTHON_SITE_PACKAGES_DIR@"
- suffix=""
- 
-@@ -73,6 +72,13 @@
+From 47e66c6b30c4fab0dc31f63dc5c33a86152bca55 Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 19:52:12 +0300
+Subject: [PATCH] Fix insecure library loading
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ magics-config.in |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+ mode change 100644 => 100755 magics-config.in
+
+diff --git a/magics-config.in b/magics-config.in
+old mode 100644
+new mode 100755
+index dd07ffd..4f79860
+--- a/magics-config.in
++++ b/magics-config.in
+@@ -73,6 +73,8 @@ if test -h ${prefix}; then
  	fi
  fi
  
-+if test -h ${LD_LIBRARY_PATH}; then
-+     ldlib=${prefix}/lib
-+else
-+     ldlib=${prefix}/lib:${LD_LIBRARY_PATH}
-+fi
-+
++ldlib="${prefix}/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 +
  if test $# -eq 0; then
  	usage 1 1>&2
  fi
-@@ -102,7 +108,7 @@
+@@ -102,7 +104,7 @@ while test $# -gt 0; do
  		echo ""
  		echo "   export MAGPLUS_HOME=${prefix}"
  		echo "   export PATH=${prefix}/bin:\$PATH"
@@ -33,3 +36,6 @@
  		echo "   export PYTHONPATH=\"${py_dir}:\${PYTHONPATH:-/usr/lib}\""
  		echo ""
  		echo " You might want add these lines to your login scripts (.profile, .kshrc or .bashrc)."
+-- 
+1.7.1
+

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598418. (Sat, 16 Oct 2010 17:48:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Sat, 16 Oct 2010 18:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alastair McKinstry <alastair.mckinstry@sceal.ie>:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Sat, 16 Oct 2010 18:24:05 GMT) Full text and rfc822 format available.

Message #30 received at 598418@bugs.debian.org (full text, mbox):

From: Alastair McKinstry <alastair.mckinstry@sceal.ie>
To: jari.aalto@cante.net, 598418@bugs.debian.org
Subject: Re: Bug#598418: magics++: NMU diff for 2.10.0.dfsg-5.1
Date: Sat, 16 Oct 2010 19:03:47 +0100
thank you for this. please NMU.

- Alastair

On 2010-10-16 18:44, jari.aalto@cante.net wrote:
> Dear maintainer,
>
> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598418.
> See the debian/patches directory for the important fixes.
>
> Let me know if it's ok to proceed with the NMU.
>
> Thank you for maintaining the package,
> Jari Aalto
>
> [1] http://www.debian.org/doc/developers-reference/pkgs.html#nmu
> [2] http://dep.debian.net/deps/dep1.html
>
> lsdiff(1) of changes:
>
>      magics++-2.10.0.dfsg/debian/changelog
>      magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch
>


-- 
Alastair McKinstry  ,<alastair@sceal.ie>  ,<mckinstry@debian.org>     http://blog.sceal.ie

Anyone who believes exponential growth can go on forever in a finite world
is either a madman or an economist - Kenneth Boulter, Economist.






Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Mon, 25 Oct 2010 15:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Mon, 25 Oct 2010 15:45:06 GMT) Full text and rfc822 format available.

Message #35 received at 598418@bugs.debian.org (full text, mbox):

From: tony mancill <tmancill@debian.org>
To: 598418@bugs.debian.org
Subject: magics++: diff for NMU version 2.10.0.dfsg-5.1
Date: Mon, 25 Oct 2010 08:40:50 -0700
tags 598418 + patch
tags 598418 + pending
thanks

Dear maintainer,

I've sponsored an NMU for magics++ (versioned as 2.10.0.dfsg-5.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I should delay 
it longer or remove it from the queue.

Regards,
tony

diff -Nru magics++-2.10.0.dfsg/debian/changelog magics++-2.10.0.dfsg/debian/changelog
--- magics++-2.10.0.dfsg/debian/changelog	2010-09-26 04:44:25.000000000 -0700
+++ magics++-2.10.0.dfsg/debian/changelog	2010-10-24 09:20:57.000000000 -0700
@@ -1,3 +1,13 @@
+magics++ (2.10.0.dfsg-5.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * debian/patches
+    - (cve-2010-3393--bug598418): Refresh patch. Restore deleted line
+      'python="@MAGICS_PYTHON@"' and adjust $ldlib.
+      (important, security, reopened; Closes: #598418).
+
+ -- Jari Aalto <jari.aalto@cante.net>  Sun, 24 Oct 2010 19:20:57 +0300
+
 magics++ (2.10.0.dfsg-5) unstable; urgency=low
 
   * CVE-2010-3393: Fix LD_LIBRARY_PATH edit. Closes: #598418. 
diff -Nru magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch
--- magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch	2010-09-26 04:42:47.000000000 -0700
+++ magics++-2.10.0.dfsg/debian/patches/cve-2010-3393.patch	2010-10-24 09:17:41.000000000 -0700
@@ -1,35 +1,37 @@
-Index: magics++-2.10.0.dfsg/magics-config.in
-===================================================================
---- magics++-2.10.0.dfsg.orig/magics-config.in	2010-09-26 12:42:02.000000000 +0100
-+++ magics++-2.10.0.dfsg/magics-config.in	2010-09-26 12:42:42.000000000 +0100
-@@ -9,7 +9,6 @@
- AXX="@AXX@"
- FFLAGS="@FFLAGS@"
- CPPLIBS="@CPPLIBS@"
--python="@MAGICS_PYTHON@"
- py_dir="@PYTHON_SITE_PACKAGES_DIR@"
- suffix=""
- 
-@@ -73,6 +72,13 @@
+From 4d974cdaf4547520d6ce335f88f5f67712e97766 Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Sat, 16 Oct 2010 19:52:12 +0300
+Subject: [PATCH] CVE-2010-3393 insecure library loading Bug#598418
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ magics-config.in |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/magics-config.in b/magics-config.in
+index dd07ffd..889b2e2 100644
+--- a/magics-config.in
++++ b/magics-config.in
+@@ -73,6 +73,7 @@ if test -h ${prefix}; then
  	fi
  fi
  
-+if test -h ${LD_LIBRARY_PATH}; then
-+     ldlib=${prefix}/lib
-+else
-+     ldlib=${prefix}/lib:${LD_LIBRARY_PATH}
-+fi
-+
-+
++ldlib="${prefix}/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
  if test $# -eq 0; then
  	usage 1 1>&2
  fi
-@@ -102,7 +108,7 @@
+@@ -102,7 +103,7 @@ while test $# -gt 0; do
  		echo ""
  		echo "   export MAGPLUS_HOME=${prefix}"
  		echo "   export PATH=${prefix}/bin:\$PATH"
 -		echo "   export LD_LIBRARY_PATH=${prefix}/lib:\$LD_LIBRARY_PATH"
-+		echo "   export LD_LIBRARY_PATH=${ldlib}"
++		echo "   export LD_LIBRARY_PATH=\"$ldlib\""
  		echo "   export PYTHONPATH=\"${py_dir}:\${PYTHONPATH:-/usr/lib}\""
  		echo ""
  		echo " You might want add these lines to your login scripts (.profile, .kshrc or .bashrc)."
+-- 
+1.7.1
+




Added tag(s) patch. Request was from tony mancill <tmancill@debian.org> to control@bugs.debian.org. (Mon, 25 Oct 2010 15:45:12 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from tony mancill <tmancill@debian.org> to control@bugs.debian.org. (Mon, 25 Oct 2010 15:45:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Mon, 25 Oct 2010 16:21:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Mon, 25 Oct 2010 16:21:11 GMT) Full text and rfc822 format available.

Message #44 received at 598418@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: jari.aalto@cante.net
Cc: 598418@bugs.debian.org, alastair.mckinstry@sceal.ie
Subject: Re: Bug#598418: magics++: NMU diff for 2.10.0.dfsg-5.1
Date: Mon, 25 Oct 2010 18:20:33 +0200
>> Dear maintainer,
>>
>> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598418.
>> See the debian/patches directory for the important fixes.
>>
>> Let me know if it's ok to proceed with the NMU.

On Sat, Oct 16, 2010 at 07:03:47PM +0100, Alastair McKinstry wrote:
> thank you for this. please NMU.

Jari, did you see the mail? Please proceed with the NMU.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#598418; Package libmagics++-dev. (Mon, 25 Oct 2010 16:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Alastair McKinstry <mckinstry@debian.org>. (Mon, 25 Oct 2010 16:45:06 GMT) Full text and rfc822 format available.

Message #49 received at 598418@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: Moritz Muehlenhoff <jmm@inutil.org>, control@bugs.debian.org
Cc: 598418@bugs.debian.org, alastair.mckinstry@sceal.ie, tmancill@debian.org
Subject: Re: Bug#598418: magics++: NMU diff for 2.10.0.dfsg-5.1
Date: Mon, 25 Oct 2010 19:42:01 +0300
tags 598418 + pending
thanks
Moritz Muehlenhoff <jmm@inutil.org> writes:

>>> Dear maintainer,
>>>
>>> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598418.
>>> See the debian/patches directory for the important fixes.
>>>
>>> Let me know if it's ok to proceed with the NMU.
>
> On Sat, Oct 16, 2010 at 07:03:47PM +0100, Alastair McKinstry wrote:
>> thank you for this. please NMU.
>
> Jari, did you see the mail? Please proceed with the NMU.

Yes,

Thanks Alastair, it's under way.

Jari




Reply sent to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility. (Sat, 30 Oct 2010 16:06:09 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 30 Oct 2010 16:06:09 GMT) Full text and rfc822 format available.

Message #54 received at 598418-close@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598418-close@bugs.debian.org
Subject: Bug#598418: fixed in magics++ 2.10.0.dfsg-5.1
Date: Sat, 30 Oct 2010 16:02:19 +0000
Source: magics++
Source-Version: 2.10.0.dfsg-5.1

We believe that the bug you reported is fixed in the latest version of
magics++, which is due to be installed in the Debian FTP archive:

libmagics++-data_2.10.0.dfsg-5.1_all.deb
  to main/m/magics++/libmagics++-data_2.10.0.dfsg-5.1_all.deb
libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
  to main/m/magics++/libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
libmagplus3_2.10.0.dfsg-5.1_i386.deb
  to main/m/magics++/libmagplus3_2.10.0.dfsg-5.1_i386.deb
magics++_2.10.0.dfsg-5.1.debian.tar.gz
  to main/m/magics++/magics++_2.10.0.dfsg-5.1.debian.tar.gz
magics++_2.10.0.dfsg-5.1.dsc
  to main/m/magics++/magics++_2.10.0.dfsg-5.1.dsc
magics++_2.10.0.dfsg-5.1_i386.deb
  to main/m/magics++/magics++_2.10.0.dfsg-5.1_i386.deb
python-magics++_2.10.0.dfsg-5.1_i386.deb
  to main/m/magics++/python-magics++_2.10.0.dfsg-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <jari.aalto@cante.net> (supplier of updated magics++ package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Oct 2010 19:20:57 +0300
Source: magics++
Binary: libmagplus3 libmagics++-dev magics++ python-magics++ libmagics++-data
Architecture: source all i386
Version: 2.10.0.dfsg-5.1
Distribution: unstable
Urgency: low
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Jari Aalto <jari.aalto@cante.net>
Description: 
 libmagics++-data - Data files needed for magics++ library
 libmagics++-dev - Development files for ECMWF  plotting software MAGICS++
 libmagplus3 - ECMWF meteorological plotting software library
 magics++   - Executables for the magics++ library
 python-magics++ - python support for Magics++
Closes: 598418
Changes: 
 magics++ (2.10.0.dfsg-5.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/patches
     - (cve-2010-3393--bug598418): Refresh patch. Restore deleted line
       'python="@MAGICS_PYTHON@"' and adjust $ldlib.
       (important, security, reopened; Closes: #598418).
Checksums-Sha1: 
 7a0d6ed9961e931b4aa0a4f3cc8d9700ca3359ef 2136 magics++_2.10.0.dfsg-5.1.dsc
 703059827ad5f4dbe4c4e4268b39d1549c7cf36f 909288 magics++_2.10.0.dfsg-5.1.debian.tar.gz
 c5be29e4668e9aa5c102de4d1759f452117ca716 4071782 libmagics++-data_2.10.0.dfsg-5.1_all.deb
 e18314a2186479b3c3bfcf7fd95156d5de2d306a 2684178 libmagplus3_2.10.0.dfsg-5.1_i386.deb
 bad468550626acd712aa75d94a07879133c7870d 7576216 libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
 af070e3de7188709146ee528bc5fe0476c144e24 18784 magics++_2.10.0.dfsg-5.1_i386.deb
 ca289decdc4a8ed6efdd21e6836924c423898ec7 38496 python-magics++_2.10.0.dfsg-5.1_i386.deb
Checksums-Sha256: 
 afe5c939da28f7e176c09875f565dac23a398636fb3cc5f5e5f645ed924d077f 2136 magics++_2.10.0.dfsg-5.1.dsc
 cadfd7faf94b95c51122c4f0ded6334d1661fed922f2ce726b3160fec7ed418c 909288 magics++_2.10.0.dfsg-5.1.debian.tar.gz
 432502110b2d2f0f78d2816292e6f2b286b1b613292014cc8d8dfd4227ed4c41 4071782 libmagics++-data_2.10.0.dfsg-5.1_all.deb
 f6db05ff896a097d6b76bd400cde61d25293c9b3c53b7182bff0fb2acb312788 2684178 libmagplus3_2.10.0.dfsg-5.1_i386.deb
 9aeff89048d15f0ced2c09777e9cf88520209fa10ada368c454995222c80918a 7576216 libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
 0e6def7108202c0707e46af95ba7cdfd9319cbf88e1f7ee94a38f6ce0ca73021 18784 magics++_2.10.0.dfsg-5.1_i386.deb
 251d0df305530a526a67b8582f0c9baac1b165c46437b23be0f283801b9f3c00 38496 python-magics++_2.10.0.dfsg-5.1_i386.deb
Files: 
 06a696bf24ce4f3a631fb1a542f70fcc 2136 utils optional magics++_2.10.0.dfsg-5.1.dsc
 af72d2d8118273f49504fed03a04c44b 909288 utils optional magics++_2.10.0.dfsg-5.1.debian.tar.gz
 39a9524fbf8b0e47c4642e27606e6d3f 4071782 utils optional libmagics++-data_2.10.0.dfsg-5.1_all.deb
 3784d144be8faa2285c081e3a30e543c 2684178 libs optional libmagplus3_2.10.0.dfsg-5.1_i386.deb
 4effb2939a322d970c51f2a44e6046de 7576216 libdevel optional libmagics++-dev_2.10.0.dfsg-5.1_i386.deb
 9d4af7a479f5285ec7fd1c9caaa49491 18784 utils optional magics++_2.10.0.dfsg-5.1_i386.deb
 75fc4dba6e2dd1e7b9a1764dfae8c3e6 38496 python optional python-magics++_2.10.0.dfsg-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMxaJ/AAoJECHSBYmXSz6WfDMQAMdrWt718arv04w26axaqe61
xlSKxZfiM0g+DlaFRkrXJCkQCY9PbhMwFEAMNTJi+sMcKgHAel5Y9GT3r3Xun0DC
zdXljqPFgyYKZlQ3YZEmyywu/JQY2HAbwGieS7S8mmMhAcSzuP2hWFqVJ7bXtAMl
hDReqMW0oj90nNucCAjl6WEKUpDIV931GIBYcCDX2xE2adhviT2GpX5qtpuK6f/M
Y4tyXrkGwSlh7rlAz1coq44C1tvi4ROjNMgvyEE7mXZ6w/enRym5Y+urea6q6igu
UieP2h/eX/1KWR9tX8lAhzhnHWe3v1JoTvCuzVC/p1Wc3Bn2kXEeDMYh780LnBSr
vo6HGYnRPDnP2eykG9tXy2OH8eFS8LJ0lpRx/zf73tKnDxdKKZFspS1yCaedPZqQ
I2OQ4QuG4XLGuKWZ5AQZDZ84eae1Xlkmgx08ineNwE+/oi8UMvdSvLh6lPZTBfaD
ACiHP2o73dVjaVqJRgwBkd8KTjep/rEZ1YQjOMfliJ0rzQRkC4xZYrpmqCvUwAdR
Rsa0/ijCHYJDiJS7otN56dHwROJjfkYbh6cM+C+kOo+M2WGkIfH0vtN11uFG2BS5
i4fYa9jvOAj8EttCCB6YXId5HIQTQqdn/2Nzc5lNC9EE7ahOCIvwklOCfjZnOmai
QgWzJ7t35z5t9V5chIc9
=993m
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 08 Dec 2010 07:31:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:47:25 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.