On Tue, Sep 28, 2010 at 09:14:26AM +0100, Adam D. Barratt wrote: > On Tue, September 28, 2010 08:45, Aníbal Monsalve Salazar wrote: > > please unblock qtparted/0.4.5-8 > > > > it fixes RC bug 598301 (CVE-2010-3375: insecure library loading) > > Unfortunately, it also introduces another one: > > > +--- a/data/run_qtparted.in 2005-07-07 06:54:36.000000000 +1000 > > ++++ b/data/run_qtparted.in 2010-09-28 15:53:58.000000000 +1000 > > +@@ -43,7 +43,13 @@ > > + > > + # defines environment variables > > + export QTDIR=@PATH_QTDIR@ > > +-export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH" > > ++LD_LIBRARY_PATH=$( sed "s/\s//g" <<< "$LD_LIBRARY_PATH" ) > > run_qtparted is a /bin/sh script, but herestrings - "<<<" - are not part > of SUSv3, nor granted an exception in policy. The above will fail if > /bin/sh points to dash. > > Regards, > > Adam > thank you, Adam the bug introduced in 0.4.5-8 is fixed in 0.4.5-9 please consider unblocking qtparted/0.4.5-9 diffstat qtparted_0.4.5-9.debdiff changelog | 19 ++++++++++++++++ patches/CVE-2010-3375_insecure_library_loading | 29 +++++++++++++++++++++++++ patches/series | 1 3 files changed, 49 insertions(+) debdiff qtparted_0.4.5-7.dsc qtparted_0.4.5-9.dsc diff -Nru qtparted-0.4.5/debian/changelog qtparted-0.4.5/debian/changelog --- qtparted-0.4.5/debian/changelog 2010-08-26 10:00:07.000000000 +1000 +++ qtparted-0.4.5/debian/changelog 2010-09-28 18:30:40.000000000 +1000 @@ -1,3 +1,22 @@ +qtparted (0.4.5-9) unstable; urgency=low + + * QA upload. + * Fix debian/patches/CVE-2010-3375_insecure_library_loading + run_qtparted is a /bin/sh script, but herestrings - "<<<" - are not part + of SUSv3, nor granted an exception in policy. The above will fail if + /bin/sh points to dash + + -- Anibal Monsalve Salazar <anibal@debian.org> Tue, 28 Sep 2010 18:24:44 +1000 + +qtparted (0.4.5-8) unstable; urgency=high + + * QA upload. + * Fix CVE-2010-3375 insecure library loading + Add debian/patches/CVE-2010-3375_insecure_library_loading + Closes: 598301 + + -- Anibal Monsalve Salazar <anibal@debian.org> Tue, 28 Sep 2010 16:10:55 +1000 + qtparted (0.4.5-7) unstable; urgency=low * QA upload. diff -Nru qtparted-0.4.5/debian/patches/CVE-2010-3375_insecure_library_loading qtparted-0.4.5/debian/patches/CVE-2010-3375_insecure_library_loading --- qtparted-0.4.5/debian/patches/CVE-2010-3375_insecure_library_loading 1970-01-01 10:00:00.000000000 +1000 +++ qtparted-0.4.5/debian/patches/CVE-2010-3375_insecure_library_loading 2010-09-28 18:24:20.000000000 +1000 @@ -0,0 +1,29 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3375 +http://security-tracker.debian.org/tracker/CVE-2010-3375 +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598301 + +When there's an empty item on the colon-separated list of +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) +If the given script is executed from a directory where a potential, +local, attacker can write files to, there's a chance to exploit this +bug. + +Patch by Anibal Monsalve Salazar <anibal@debian.org> + +--- a/data/run_qtparted.in 2005-07-07 06:54:36.000000000 +1000 ++++ b/data/run_qtparted.in 2010-09-28 15:53:58.000000000 +1000 +@@ -43,7 +43,13 @@ + + # defines environment variables + export QTDIR=@PATH_QTDIR@ +-export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH" ++LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" ) ++if [ -n "$LD_LIBRARY_PATH" ] ++then ++ export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH" ++else ++ export LD_LIBRARY_PATH="$QTDIR/lib" ++fi + export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH + getmousetype + diff -Nru qtparted-0.4.5/debian/patches/series qtparted-0.4.5/debian/patches/series --- qtparted-0.4.5/debian/patches/series 2010-08-26 09:32:09.000000000 +1000 +++ qtparted-0.4.5/debian/patches/series 2010-09-28 18:51:56.000000000 +1000 @@ -1,3 +1,4 @@ debian-changes-0.4.5-6 modified-r252.diff debian-changes-0.4.5-7 +CVE-2010-3375_insecure_library_loading
Attachment:
signature.asc
Description: Digital signature