Bug#598664: unblock: lastfm/1:1.5.4.26862+dfsg-5
On Sun, Oct 03, 2010 at 04:01:11PM +0200, Julien Cristau wrote:
> On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote:
>
> > Please unblock package lastfm
> >
> > It contains a security relevant bugfix: CVE-2010-3362 (#598294)
> >
> It also contains a bunch of other unrelated changes, not documented in
> the changelog.
>
> Cheers,
> Julien
Yikes. I'm sorry about that. I backed out the undocumented patches and
uploaded -6, which now only adds the fix for CVE-2010-3362.
The diff from the version in testing is below:
diff --git a/debian/changelog b/debian/changelog
index 4ee2479..47f5048 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+lastfm (1:1.5.4.26862+dfsg-6) unstable; urgency=high
+
+ * Back out the undocumented changes that sneaked in with -5. We only want
+ the fix for CVE-2010-3362.
+
+ -- John Stamp <jstamp@users.sourceforge.net> Mon, 04 Oct 2010 13:23:01 -0700
+
+lastfm (1:1.5.4.26862+dfsg-5) unstable; urgency=high
+
+ * Fix CVE-2010-3362: insecure library loading (Closes: #598294)
+
+ -- John Stamp <jstamp@users.sourceforge.net> Thu, 30 Sep 2010 14:03:23 -0700
+
lastfm (1:1.5.4.26862+dfsg-4) unstable; urgency=low
* Bump Standards-Version to 3.9.1. No changes needed.
diff --git a/debian/package-files/bin/lastfm b/debian/package-files/bin/lastfm
index 34a2487..aef3654 100755
--- a/debian/package-files/bin/lastfm
+++ b/debian/package-files/bin/lastfm
@@ -1,5 +1,5 @@
#!/bin/sh
RUNDIR="/usr/lib/lastfm"
-export LD_LIBRARY_PATH="${RUNDIR}:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
exec "${RUNDIR}/last.fm" "$@"
Regards,
John Stamp
Reply to: