Re: Bug#598309: Security unblock requests (ust/0.7-2.1)

To: Moritz Muehlenhoff <jmm@inutil.org>, 598309@bugs.debian.org, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
From: Julien Cristau <jcristau@debian.org>
Date: Wed, 1 Dec 2010 18:07:41 +0100
Message-id: <[🔎] 20101201170740.GV5063@radis.liafa.jussieu.fr>
In-reply-to: <[🔎] 20101201165157.GB11972@starquasia>
References: <slrnibgtob.2j9.jmm@inutil.org> <slrnibp0d1.39n.jmm@inutil.org> <slrnibuko1.290.jmm@inutil.org> <slrnic5lo0.2i9.jmm@inutil.org> <20101023131320.GS3167@radis.liafa.jussieu.fr> <87iq0fxr4f.fsf_-_@picasso.cante.net> <20101115184714.GB31998@inutil.org> <20101115221320.GA13388@starquasia> <20101117205109.GC3581@galadriel.inutil.org> <[🔎] 20101201165157.GB11972@starquasia>

On Wed, Dec  1, 2010 at 11:52:00 -0500, Jon Bernard wrote:

> diff -Nru ust-0.5/debian/changelog ust-0.5/debian/changelog
> --- ust-0.5/debian/changelog	2010-07-02 11:34:52.000000000 -0400
> +++ ust-0.5/debian/changelog	2010-11-30 21:23:43.000000000 -0500
> @@ -1,3 +1,9 @@
> +ust (0.5-1+squeeze1) testing; urgency=low
> +
> +  * Backport upstream fix for CVE-2010-3386 (Bug #598309)

You should close the bug in the changelog.

> +
> + -- Jon Bernard <jbernard@debian.org>  Tue, 30 Nov 2010 21:21:25 -0500
> +
>  ust (0.5-1) unstable; urgency=low
>  
>    * [79cd16] Imported Upstream version 0.5
> diff -Nru ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
> --- ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	1969-12-31 19:00:00.000000000 -0500
> +++ ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	2010-11-30 21:23:43.000000000 -0500
> @@ -0,0 +1,84 @@
> +From: Jon Bernard <jbernard@debian.org>
> +Date: Tue, 30 Nov 2010 13:40:04 -0500
> +Subject: [PATCH] Backport upstream fix for CVE-2010-3386 (Bug #598309)
> +
> +When there's an empty item on the colon-separated list of
> +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given
> +script (usttrace) is executed from a directory where a potential, local,
> +attacker can write files to, there's a chance to exploit this bug.
> +
> +This patch was applied upstream in version 0.8.
> +---
> + usttrace |   47 +++++++++++++++++++++++++++++++++++++----------
> + 1 files changed, 37 insertions(+), 10 deletions(-)
> +
> +diff --git a/usttrace b/usttrace
> +index dc159f2..5fdb52f 100755
> +--- a/usttrace
> ++++ b/usttrace
> +@@ -132,27 +132,54 @@ fi
> + 
> +     if [ "$arg_preload_libust" = "1" ];
> +     then
> +-	if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	if [ -n "${LIBUST_PATH%libust.so}" ];
> ++	then
> ++		if [ -n "$LD_LIBRARY_PATH" ];
> ++		then
> ++			export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++		else
> ++			export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> ++		fi
> ++	fi
> ++	if [ -n "$LIBUST_PATH" ];
> ++	then
> ++		if [ -n "$LD_PRELOAD" ];
> ++		then
> ++			export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> ++		else
> ++			export LD_PRELOAD="$LIBUST_PATH"
> ++		fi
> + 	fi
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> +     fi
> + 
> +-    if [ "$arg_ld_std_ust" = "1" ];
> ++    if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
> +     then
> +-	if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	if [ -n "$LD_LIBRARY_PATH" ];
> ++	then
> ++		export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> ++	else
> ++		export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> + 	fi
> +     fi
> + 
> +-    if [ "$arg_preload_malloc" = "1" ];
> ++    if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
> +     then
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> ++	if [ -n "$LD_PRELOAD" ];
> ++	then
> ++		export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> ++	else
> ++		export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> ++	fi
> +     fi
> + 
> +-    if [ "$arg_preload_fork" = "1" ];
> ++    if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
> +     then
> +-	export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> ++	if [ -n "$LD_PRELOAD" ];
> ++	then
> ++		export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> ++	else
> ++		export LD_PRELOAD="$LIBINTERFORK_PATH"
> ++	fi
> +     fi
> + 
> + # Execute the command
> +-- 

The patch seems overly complicated, but I guess if that's what upstream
went with it's ok...
(e.g. LIBUST_PATH, LIBINTERFORK_PATH and LIBMALLOCWRAP_PATH can never be
empty, as far as I can tell)

> diff -Nru ust-0.5/debian/patches/series ust-0.5/debian/patches/series
> --- ust-0.5/debian/patches/series	2010-07-02 11:34:52.000000000 -0400
> +++ ust-0.5/debian/patches/series	2010-11-30 21:23:43.000000000 -0500
> @@ -1 +1,2 @@
> +0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
>  info-dir-section.diff

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
  - From: Jon Bernard <jbernard@debian.org>

References:
- Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
  - From: Jon Bernard <jbernard@debian.org>

Prev by Date: Bug#605588: marked as done (unblock: openoffice.org/1:3.2.1-10)
Next by Date: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Previous by thread: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Next by thread: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Index(es):
- Date
- Thread