[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#552518: marked as done (libc6: ldd arbitrary code execution vulnerability)

Your message dated Thu, 12 Nov 2009 15:37:53 +0000
with message-id <E1N8bk9-0000VZ-U6@ries.debian.org>
and subject line Bug#552518: fixed in eglibc 2.10.1-7
has caused the Debian Bug report #552518,
regarding libc6: ldd arbitrary code execution vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

552518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552518
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
package: eglibc
version: 2.10.1-2
severity: important
tags: security

it has been disclosed that it is possible to execute arbitrary code via
ldd.  this is a pretty obscure attack vector since it requires the user
to run ldd on an untrusted executable.  while unlikely (since users
using ldd should be reasonably intelligent), it is very much possible,
so a fix should be made.  see [0] for more details.

i don't think that this is severe enough to warrant a DSA.  if you
would like to fix the problem in the stable releases, please
coordinate with the release team.


[0] http://www.catonmat.net/blog/ldd-arbitrary-code-execution

--- End Message ---
--- Begin Message ---
Source: eglibc
Source-Version: 2.10.1-7

We believe that the bug you reported is fixed in the latest version of
eglibc, which is due to be installed in the Debian FTP archive:

  to main/e/eglibc/eglibc-source_2.10.1-7_all.deb
  to main/e/eglibc/eglibc_2.10.1-7.diff.gz
  to main/e/eglibc/eglibc_2.10.1-7.dsc
  to main/e/eglibc/glibc-doc_2.10.1-7_all.deb
  to main/e/eglibc/libc-bin_2.10.1-7_amd64.deb
  to main/e/eglibc/libc-dev-bin_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-dbg_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-dev-i386_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-dev_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-i386_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-pic_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-prof_2.10.1-7_amd64.deb
  to main/e/eglibc/libc6-udeb_2.10.1-7_amd64.udeb
  to main/e/eglibc/libc6_2.10.1-7_amd64.deb
  to main/e/eglibc/libnss-dns-udeb_2.10.1-7_amd64.udeb
  to main/e/eglibc/libnss-files-udeb_2.10.1-7_amd64.udeb
  to main/e/eglibc/locales-all_2.10.1-7_amd64.deb
  to main/e/eglibc/locales_2.10.1-7_all.deb
  to main/e/eglibc/nscd_2.10.1-7_amd64.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 552518@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Aurelien Jarno <aurel32@debian.org> (supplier of updated eglibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Thu, 12 Nov 2009 12:53:04 +0100
Source: eglibc
Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9b libc6-i686 libc6-xen libc0.1-i686 libc6.1-alphaev67 libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.10.1-7
Distribution: unstable
Urgency: low
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
 eglibc-source - Embedded GNU C Library: sources
 glibc-doc  - GNU C Library: Documentation
 libc-bin   - GNU C Library: Binaries
 libc-dev-bin - GNU C Library: Development binaries
 libc0.1    - GNU C Library: Shared libraries
 libc0.1-dbg - GNU C Library: detached debugging symbols
 libc0.1-dev - GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - GNU C Library: PIC archive library
 libc0.1-prof - GNU C Library: Profiling Libraries
 libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - GNU C Library: Shared libraries
 libc0.3-dbg - GNU C Library: detached debugging symbols
 libc0.3-dev - GNU C Library: Development Libraries and Header Files
 libc0.3-pic - GNU C Library: PIC archive library
 libc0.3-prof - GNU C Library: Profiling Libraries
 libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6      - GNU C Library: Shared libraries
 libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
 libc6-dbg  - GNU C Library: detached debugging symbols
 libc6-dev  - GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64
 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390x - GNU C Library: 64bit Development Libraries for IBM zSeries
 libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - GNU C Library: Shared libraries [i686 optimized]
 libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - GNU C Library: PIC archive library
 libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-prof - GNU C Library: Profiling Libraries
 libc6-s390x - GNU C Library: 64bit Shared libraries for IBM zSeries
 libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-sparcv9b - GNU C Library: Shared libraries [v9b optimized]
 libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libc6-xen  - GNU C Library: Shared libraries [Xen version]
 libc6.1    - GNU C Library: Shared libraries
 libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - GNU C Library: detached debugging symbols
 libc6.1-dev - GNU C Library: Development Libraries and Header Files
 libc6.1-pic - GNU C Library: PIC archive library
 libc6.1-prof - GNU C Library: Profiling Libraries
 libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
 locales    - GNU C Library: National Language (locale) data [support]
 locales-all - GNU C Library: Precompiled locale data
 nscd       - GNU C Library: Name Service Cache Daemon
Closes: 485608 499016 502189 548042 552518 553722 555463
 eglibc (2.10.1-7) unstable; urgency=low
   * patches/all/local-ldd.diff: new patch to handle the case where ld.so is
     not executable (wrong architecture), and always trace dynamic library
     dependencies through the dynamic linker.  Closes: #502189,
     #552518, #499016.
   * Strip *.o files manually (dh_strip does not do it) to prevent
     leakage of the build directory (has been lost in a merge).
   * script.in/nsscheck.sh: fix call to invoke-rc.d.  Closes: #555463.
   * patches/ia64/submitted-memchr.diff: fix memchr() when data is shorter
     than software pipeline.
   * Bump to Standards-Version 3.8.3.
   * Reenable PIE on mips and build-depends on binutils (>= 2.20-3).
   * Build-depends on g++-4.4 (>= 4.4.2-2) and use gcc-4.4 on armel.
   * libc-bin-dev: recommends manpages-dev.  Closes: #485608.
   * Generate /usr/lib{,32,64}/gconv/gconv-modules.cache at build time
     instead of during package installation. Closes: #548042.
   * debhelper.in/locales-all.prerm: remove /usr/lib/locale on removal, to
     make puiparts happy.
   [ Carlos O'Donell]
   * patches/hppa/local-stack-grows-up.diff: fix pthread stack related
     functions when the stack grows up.  Closes: #553722.
 424871a0ac2a82d334c916f4277cb85695d5ce7b 2801 eglibc_2.10.1-7.dsc
 42a277016900c9e9c1fd239e83182958785ec94f 775982 eglibc_2.10.1-7.diff.gz
 40ae926874d6a911fc37923ef15c4d8b99c180df 1812810 glibc-doc_2.10.1-7_all.deb
 9310f278b722c3e183f183c9ccf732dc5903acf2 10947414 eglibc-source_2.10.1-7_all.deb
 6b2f34311220b74b66ac631ebf6efb715d51c654 4749158 locales_2.10.1-7_all.deb
 a4cbb9448bc1d7ae18a143a2179ccfaab47b4a57 4244152 libc6_2.10.1-7_amd64.deb
 794d169384301e840165a19bb0607830c6d6fcaa 2545542 libc6-dev_2.10.1-7_amd64.deb
 15ada8f8e54ad957d6f32777a9e5d92e2e2c22a7 1992248 libc6-prof_2.10.1-7_amd64.deb
 e6231376ea74d607badcd20b3b0553eecc2888f8 1515784 libc6-pic_2.10.1-7_amd64.deb
 4700702ba9416f9d5cea28e442135497b5182e5a 727196 libc-bin_2.10.1-7_amd64.deb
 38398be82eca31d05719b2950a4f1e5a3c2c0c00 200390 libc-dev-bin_2.10.1-7_amd64.deb
 3c1bdb7acaf268db9f94b618db1a6d07d3ab958a 3064912 locales-all_2.10.1-7_amd64.deb
 579337312c54f4d890e8b696a78cda08d00ce941 3792274 libc6-i386_2.10.1-7_amd64.deb
 9b3f0d134173eb095a10c369b7b7ca79ad26c6a4 1497468 libc6-dev-i386_2.10.1-7_amd64.deb
 a0939f9573bcca47b7db7709d22012b1b76afcbb 189190 nscd_2.10.1-7_amd64.deb
 0f03f8440b5207f1d835db5db1857da6e37604f7 10272514 libc6-dbg_2.10.1-7_amd64.deb
 6bc3fdb1ee64b20b86a42ef34fa3002a2689a7e0 1134254 libc6-udeb_2.10.1-7_amd64.udeb
 1a7ab40cd5fc5aaabff038b075eb0158cebf58d5 11206 libnss-dns-udeb_2.10.1-7_amd64.udeb
 61f7cf46f0d0194169ac6f8b12b261eaec837d72 19544 libnss-files-udeb_2.10.1-7_amd64.udeb
 b0974c6cd7e041b7de8df46f7c6e43e836304f1982bd6b92680affa0c05f7620 2801 eglibc_2.10.1-7.dsc
 c1499e281619bda2e9ccdbbda20a8fc3ef96eb4cf9ac2b994677731650663d25 775982 eglibc_2.10.1-7.diff.gz
 589687fda88974144d3b8569d9648c1aed2e878d7c03485cc1978d0fced05275 1812810 glibc-doc_2.10.1-7_all.deb
 4953a3720c94be895e00c6d28b0ca3fa5dd1db0c788eccc9993ed5d7027676a2 10947414 eglibc-source_2.10.1-7_all.deb
 2fe461752e7015d2f948b93bd8b24710ee8960b4b7c445042a3df29988bb4696 4749158 locales_2.10.1-7_all.deb
 a49abc9f1624da9e06b122b86abfefa6a025223f4cce10b180ce6c42e70c5d03 4244152 libc6_2.10.1-7_amd64.deb
 a0aef838fb3f2d243ea3547b10742ddd1b9036d53909c15b2a5961cdb2f68505 2545542 libc6-dev_2.10.1-7_amd64.deb
 84271ea015cc1b7cd02f6ef86ec7263a9ae10358255a40cd85cc9266e237a5dd 1992248 libc6-prof_2.10.1-7_amd64.deb
 6466ec848367e462fd69fe0fd0a49f4a3f65f23d73b3fcff0adbcb4f4ad709c3 1515784 libc6-pic_2.10.1-7_amd64.deb
 b727311d69e5054ba8dff4dbe0b99cffa101c05da275c73aad22986d587000f4 727196 libc-bin_2.10.1-7_amd64.deb
 eb74c097a6766dd1f3b899a080252686b061cbe9bc310322a91c130ab37e58f5 200390 libc-dev-bin_2.10.1-7_amd64.deb
 fd3c49dc33c96b9db39a8722b50b44e1d739d9b50f855e2ae008d3e7e5aaf40f 3064912 locales-all_2.10.1-7_amd64.deb
 f05acb11d38041b8d068592e13a7c214c1c4d4b2f49e7e11ef7eb9835c2a6b6b 3792274 libc6-i386_2.10.1-7_amd64.deb
 8a4bd85035fe7bd58a498df24f6918c2f7d4b2bedcdc015b4b389bc46ae9f1ad 1497468 libc6-dev-i386_2.10.1-7_amd64.deb
 1bbabc1ad3c3c8c0310e9479646fd909c28f9bd34e0fe97c3dd49b9b2cbaa963 189190 nscd_2.10.1-7_amd64.deb
 14131c688c936dc7cf3cc4ac882c660aa5988c6a0c0900c883126d71c048c201 10272514 libc6-dbg_2.10.1-7_amd64.deb
 2ce7d344614bcbf57609e663bc8ddb49a2478bff3380ad4aba171dd26535d002 1134254 libc6-udeb_2.10.1-7_amd64.udeb
 335cdd05de88c138290708f10c8ad415cde253d8b3b2e568b504cdc2f904a327 11206 libnss-dns-udeb_2.10.1-7_amd64.udeb
 e62f43dfc529d2c7a27add959b3020c21c04153b14aa02f8a5f0da9c1d21acc0 19544 libnss-files-udeb_2.10.1-7_amd64.udeb
 fc240c11fa5486f11942f428999149d0 2801 libs required eglibc_2.10.1-7.dsc
 1407a5def411889523e65a52a03d25f0 775982 libs required eglibc_2.10.1-7.diff.gz
 8fe82818b4616b89e82e9ecf16fe5f86 1812810 doc optional glibc-doc_2.10.1-7_all.deb
 f54bfe61b9ab4932207259c1a942e8bb 10947414 devel optional eglibc-source_2.10.1-7_all.deb
 6b217be4ad61a28ee75e9f5abdd8e860 4749158 libs standard locales_2.10.1-7_all.deb
 c35644786e978bbc8a7b03d55c084b01 4244152 libs required libc6_2.10.1-7_amd64.deb
 23cf9fa8ffb65e5c66691291b8ec52eb 2545542 libdevel optional libc6-dev_2.10.1-7_amd64.deb
 409a11b2c45552a06ef4246e2023cfdf 1992248 libdevel extra libc6-prof_2.10.1-7_amd64.deb
 f4dccc9ad837510c056e1de27ddceb77 1515784 libdevel optional libc6-pic_2.10.1-7_amd64.deb
 1c6cc9b381376807c9b250a730471584 727196 libs required libc-bin_2.10.1-7_amd64.deb
 dc42d8f4874a2ba46a1ec268491a3202 200390 libdevel optional libc-dev-bin_2.10.1-7_amd64.deb
 497826d6cc1353725e852075196472c4 3064912 libs extra locales-all_2.10.1-7_amd64.deb
 c6166d8f41cf5c03914dfa467c4aefd6 3792274 libs optional libc6-i386_2.10.1-7_amd64.deb
 c9b382910e0ecbcd97045ada5199c08e 1497468 libdevel optional libc6-dev-i386_2.10.1-7_amd64.deb
 832ac7ca1b29eb8f60a166cc458333c0 189190 admin optional nscd_2.10.1-7_amd64.deb
 f818980cc51f0b4377fe8e46b5292876 10272514 debug extra libc6-dbg_2.10.1-7_amd64.deb
 6f2b0563fccb7eee59954401e96468f1 1134254 debian-installer extra libc6-udeb_2.10.1-7_amd64.udeb
 43b7879d22e74028d76eee04dc2dbab5 11206 debian-installer extra libnss-dns-udeb_2.10.1-7_amd64.udeb
 6b780995776097acf9e43d948be70422 19544 debian-installer extra libnss-files-udeb_2.10.1-7_amd64.udeb
Package-Type: udeb

Version: GnuPG v1.4.10 (GNU/Linux)


--- End Message ---

Reply to: