Your message dated Sun, 20 Feb 2011 01:21:47 +0000 with message-id <[🔎] E1Pqxzf-0003Te-Tf@franck.debian.org> and subject line Bug#508501: Removed package(s) from unstable has caused the Debian Bug report #598298, regarding mn-fit: CVE-2010-3366: insecure library loading to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 598298: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598298 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: mn-fit: CVE-2010-3366: insecure library loading
- From: Raphael Geissert <geissert@debian.org>
- Date: Tue, 28 Sep 2010 04:22:26 +0000
- Message-id: <E1P0Rhy-0006qr-5t@alioth.debian.org>
Package: mn-fit Version: 5.13-7 Severity: grave Tags: security User: team@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/mn_fit line 146: LD_LIBRARY_PATH=$ROOTSYS/lib:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3366. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3366 [1] http://security-tracker.debian.org/tracker/CVE-2010-3366 Sincerely, Raphael Geissert
--- End Message ---
--- Begin Message ---
- To: 553811-done@bugs.debian.org,598298-done@bugs.debian.org,
- Cc: mn-fit@packages.debian.org, mn-fit@packages.qa.debian.org
- Subject: Bug#508501: Removed package(s) from unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 20 Feb 2011 01:21:47 +0000
- Message-id: <[🔎] E1Pqxzf-0003Te-Tf@franck.debian.org>
Version: 5.13-7+rm Dear submitter, as the package mn-fit has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see http://bugs.debian.org/508501 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org. Debian distribution maintenance software pp. Luca Falavigna (the ftpmaster behind the curtain)
--- End Message ---