Hi, [ccing -cli too for information] On Mon, Nov 29, 2010 at 07:38:41PM +0100, Moritz Muehlenhoff wrote:
On Mon, Nov 29, 2010 at 01:03:31PM +0000, Iain Lane wrote:tags 605096 + pending affects 605096 1.2.2-1 affects 605096 0.10.2-1 thanks Hi, On Sat, Nov 27, 2010 at 01:10:55PM +0100, Moritz Muehlenhoff wrote: >Package: tomboy >Severity: grave >Tags: security > > >Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4005 >for details and a patch. Please fix this for Squeeze with a targeted >bugfix, not by packaging a full new upstream release. Thanks, prepared for sid/squeeze in git. Attached a diff.gz/dsc for lenny. Is this OK to upload?The impact doesn't warrant a DSA. Please fix this through a stable point update instead: http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
OK. @d-release SRMs, would you accept a stable update for tomboy (and then assumedly banshee which suffers from the same problem in unstable [not checked stable yet])? debdiff attached. Regards, Iain
diff -u tomboy-0.10.2/debian/changelog tomboy-0.10.2/debian/changelog
--- tomboy-0.10.2/debian/changelog
+++ tomboy-0.10.2/debian/changelog
@@ -1,3 +1,14 @@
+tomboy (0.10.2-1+lenny1) stable-proposed-updates; urgency=high
+
+ * Fix insecure LD_LIBRARY_PATH. A vulnerability existed where if
+ LD_LIBRARY_PATH were set but empty, a trailing : as a path separator would
+ still be appended to the path, exposing an insecure/invalid search path.
+ Using :+: instead of +: prevents this as ${X:+:$X} returns X iff X is set
+ and not empty whereas ${X+:$X} returns X iff X is set (it may be empty).
+ References: CVE-2010-4005 (Closes: #605096)
+
+ -- Iain Lane <laney@ubuntu.com> Mon, 29 Nov 2010 12:23:34 +0000
+
tomboy (0.10.2-1) unstable; urgency=low
* New upstream bugfix release.
only in patch2:
unchanged:
--- tomboy-0.10.2.orig/debian/patches/00_LD_LIBRARY_PATH_CVE-2010-4005.patch
+++ tomboy-0.10.2/debian/patches/00_LD_LIBRARY_PATH_CVE-2010-4005.patch
@@ -0,0 +1,39 @@
+Description: Fix unsafe LD_LIBRARY_PATH setting (CVE-2010-4005)
+Author: Luis Medinas <lmedinas@gnome.org>
+Origin: https://bugzilla.gnome.org/show_bug.cgi?id=635614
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605096
+Bug-Upstream: https://bugzilla.gnome.org/show_bug.cgi?id=635614
+Forwarded: not-needed
+
+Index: tomboy.git/Tomboy/tomboy.in
+===================================================================
+--- tomboy.git.orig/Tomboy/tomboy.in 2010-11-29 01:10:11.170557627 +0000
++++ tomboy.git/Tomboy/tomboy.in 2010-11-29 01:09:46.128629088 +0000
+@@ -3,13 +3,13 @@
+ if [ "x$PWD" = "x@srcdir@" ] ; then
+ echo "*** Running uninstalled @target@ ***"
+
+- export LD_LIBRARY_PATH="../libtomboy/.libs${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:./Addins/PrintNotes/.libs"
++ export LD_LIBRARY_PATH="../libtomboy/.libs${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}:./Addins/PrintNotes/.libs"
+ export TOMBOY_WRAPPER_PATH="$PWD/@wrapper@"
+ export MONO_PATH=$MONO_PATH:./Addins:../Mono.Addins/Mono.Addins:../Mono.Addins/Mono.Addins.Setup:../Mono.Addins/Mono.Addins.Gui
+
+ THIS_EXE="--debug ./@target@"
+ else
+- export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++ export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+ export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+ export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+
+Index: tomboy.git/Tomboy/tomboy-panel.in
+===================================================================
+--- tomboy.git.orig/Tomboy/tomboy-panel.in 2010-11-29 01:10:10.770526817 +0000
++++ tomboy.git/Tomboy/tomboy-panel.in 2010-11-29 01:10:00.929768958 +0000
+@@ -1,6 +1,6 @@
+ #!/usr/bin/env bash
+
+-export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+ export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+ export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+ TOMBOY_CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/tomboy"
Attachment:
signature.asc
Description: Digital signature