Debian Bug report logs - #598664
unblock: lastfm/1:1.5.4.26862+dfsg-5

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: John Stamp <jstamp@users.sourceforge.net>

Date: Thu, 30 Sep 2010 21:51:01 UTC

Severity: normal

Tags: moreinfo

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jstamp@users.sourceforge.net, Debian Release Team <debian-release@lists.debian.org>:
Bug#598664; Package release.debian.org. (Thu, 30 Sep 2010 21:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Stamp <jstamp@users.sourceforge.net>:
New Bug report received and forwarded. Copy sent to jstamp@users.sourceforge.net, Debian Release Team <debian-release@lists.debian.org>. (Thu, 30 Sep 2010 21:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Stamp <jstamp@users.sourceforge.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: lastfm/1:1.5.4.26862+dfsg-5
Date: Thu, 30 Sep 2010 14:47:46 -0700
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception


Please unblock package lastfm

It contains a security relevant bugfix: CVE-2010-3362 (#598294)

unblock lastfm/1:1.5.4.26862+dfsg-5

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598664; Package release.debian.org. (Sun, 03 Oct 2010 14:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 03 Oct 2010 14:03:06 GMT) Full text and rfc822 format available.

Message #10 received at 598664@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: John Stamp <jstamp@users.sourceforge.net>, 598664@bugs.debian.org
Subject: Re: Bug#598664: unblock: lastfm/1:1.5.4.26862+dfsg-5
Date: Sun, 3 Oct 2010 16:01:11 +0200
[Message part 1 (text/plain, inline)]
On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote:

> Please unblock package lastfm
> 
> It contains a security relevant bugfix: CVE-2010-3362 (#598294)
> 
It also contains a bunch of other unrelated changes, not documented in
the changelog.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 04 Oct 2010 10:18:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#598664; Package release.debian.org. (Mon, 04 Oct 2010 21:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Stamp <jstamp@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 04 Oct 2010 21:39:06 GMT) Full text and rfc822 format available.

Message #17 received at 598664@bugs.debian.org (full text, mbox):

From: John Stamp <jstamp@users.sourceforge.net>
To: Julien Cristau <jcristau@debian.org>
Cc: 598664@bugs.debian.org
Subject: Re: Bug#598664: unblock: lastfm/1:1.5.4.26862+dfsg-5
Date: Mon, 4 Oct 2010 13:59:31 -0700
On Sun, Oct 03, 2010 at 04:01:11PM +0200, Julien Cristau wrote:
> On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote:
> 
> > Please unblock package lastfm
> > 
> > It contains a security relevant bugfix: CVE-2010-3362 (#598294)
> > 
> It also contains a bunch of other unrelated changes, not documented in
> the changelog.
> 
> Cheers,
> Julien

Yikes.  I'm sorry about that.  I backed out the undocumented patches and
uploaded -6, which now only adds the fix for CVE-2010-3362.

The diff from the version in testing is below:

diff --git a/debian/changelog b/debian/changelog
index 4ee2479..47f5048 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+lastfm (1:1.5.4.26862+dfsg-6) unstable; urgency=high
+
+  * Back out the undocumented changes that sneaked in with -5.  We only want
+    the fix for CVE-2010-3362.
+
+ -- John Stamp <jstamp@users.sourceforge.net>  Mon, 04 Oct 2010 13:23:01 -0700
+
+lastfm (1:1.5.4.26862+dfsg-5) unstable; urgency=high
+
+  * Fix CVE-2010-3362: insecure library loading (Closes: #598294)
+
+ -- John Stamp <jstamp@users.sourceforge.net>  Thu, 30 Sep 2010 14:03:23 -0700
+
 lastfm (1:1.5.4.26862+dfsg-4) unstable; urgency=low
 
   * Bump Standards-Version to 3.9.1.  No changes needed.
diff --git a/debian/package-files/bin/lastfm b/debian/package-files/bin/lastfm
index 34a2487..aef3654 100755
--- a/debian/package-files/bin/lastfm
+++ b/debian/package-files/bin/lastfm
@@ -1,5 +1,5 @@
 #!/bin/sh
 
 RUNDIR="/usr/lib/lastfm"
-export LD_LIBRARY_PATH="${RUNDIR}:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 exec "${RUNDIR}/last.fm" "$@"

Regards,

John Stamp





Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Wed, 06 Oct 2010 16:45:09 GMT) Full text and rfc822 format available.

Notification sent to John Stamp <jstamp@users.sourceforge.net>:
Bug acknowledged by developer. (Wed, 06 Oct 2010 16:45:09 GMT) Full text and rfc822 format available.

Message #22 received at 598664-done@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: John Stamp <jstamp@users.sourceforge.net>, 598664-done@bugs.debian.org
Subject: Re: Bug#598664: unblock: lastfm/1:1.5.4.26862+dfsg-5
Date: Wed, 6 Oct 2010 18:43:37 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct  4, 2010 at 13:59:31 -0700, John Stamp wrote:

> On Sun, Oct 03, 2010 at 04:01:11PM +0200, Julien Cristau wrote:
> > On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote:
> > 
> > > Please unblock package lastfm
> > > 
> > > It contains a security relevant bugfix: CVE-2010-3362 (#598294)
> > > 
> > It also contains a bunch of other unrelated changes, not documented in
> > the changelog.
> > 
> Yikes.  I'm sorry about that.  I backed out the undocumented patches and
> uploaded -6, which now only adds the fix for CVE-2010-3362.
> 
Unblocked by Adam.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 04 Nov 2010 07:34:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:00:32 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.