backport of CVE-2010-3364 to vips/nip2 in testing

To: debian-release@lists.debian.org
Subject: backport of CVE-2010-3364 to vips/nip2 in testing
From: Jay Berkenbilt <qjb@debian.org>
Date: Sun, 10 Oct 2010 15:29:05 -0400
Message-id: <[🔎] 20101010152905.0286673313.qww314159@soup>

The bug reported in bug 598296 is the security vulnerability
CVE-2010-3364.  The bug was reported against vips 7.22, but it actually
affects both vips and nip2, and it is present in all previous versions.
Its fix is a simple change to some wrapper shell scripts.  The versions
currently in unstable include upstream's fix to the bug, but the
unstable versions have no possibility of migrating to testing since they
are new upstream versions and depend on other things that are not going
to transition.

I have backported the fix from the current versions in unstable to the
versions in testing.  The patch applied with no modifications other than
the name of the file being changed.  I have prepared new versions for
testing, but as per your instructions, I have not uploaded them.
(Anyway, I don't have a clean testing chroot set up at the moment,
though I can always make one.)  I'm attaching my diffs to this email.
Feel free to either put these in testing or to ask me to go ahead and
upload.  I can set up a testing chroot and build packages to upload
(though it might take me several days to get to it).

I haven't done anything with to mark that the bug appears in older
versions.  I will also be contacting the security team about fixing it
in stable.

-- 
Jay Berkenbilt <qjb@debian.org>

Index: debian/changelog
===================================================================
--- debian/changelog	(.../tags/7.20.7-1)	(revision 1488)
+++ debian/changelog	(.../branches/7.20)	(revision 1488)
@@ -1,3 +1,10 @@
+vips (7.20.7-2) testing-proposed-updates; urgency=low
+
+  * Backport fix to CVE-2010-3364 (insecure library loading) from 7.22.4
+    release.
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sun, 10 Oct 2010 15:11:35 -0400
+
 vips (7.20.7-1) unstable; urgency=low
 
   * New upstream release
Index: debian/patches/ld-library-path.patch
===================================================================
--- debian/patches/ld-library-path.patch	(.../tags/7.20.7-1)	(revision 0)
+++ debian/patches/ld-library-path.patch	(.../branches/7.20)	(revision 1488)
@@ -0,0 +1,60 @@
+Description: fix to CVE-2010-3364 backported from upstream
+ Prevent insecure prepend to LD_LIBRARY_PATH
+Origin: upstream, backported from 7.22.4
+
+Index: vips-7.20.7/tools/scripts/vips-7.20
+===================================================================
+--- vips-7.20.7.orig/tools/scripts/vips-7.20	2010-10-10 15:07:23.240170610 -0400
++++ vips-7.20.7/tools/scripts/vips-7.20	2010-10-10 15:07:28.867670770 -0400
+@@ -19,6 +19,19 @@
+ 	exit 1
+ fi
+ 
++# prepend a path component to an environment variable
++# be careful to avoid trailing : characters if the var is not defined, they
++# can cause security problems
++function prepend_var () {
++	# we have to use eval to do double indirection, I think
++	eval value="\$$1"
++	if [ "x$value" = x ]; then
++		export $1=$2
++	else 
++		export $1=$2:$value
++	fi
++}
++
+ # try to extract the prefix from a path to an executable
+ # eg. "/home/john/vips/bin/fred" -> "/home/john/vips"
+ function find_prefix () {
+@@ -92,25 +105,26 @@
+ export VIPSHOME=$prefix
+ 
+ # add VIPSHOME to man pages
+-export MANPATH=$VIPSHOME/man:$MANPATH
++prepend_var MANPATH $VIPSHOME/man
+ 
+ # add the VIPS lib area to the library path
+ case `uname` in
+ HPUX)
+-	export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH
++	libvar=SHLIB_PATH 
+ 	;;
+ 
+ Darwin)
+-	export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH
++	libvar=DYLD_LIBRARY_PATH
+ 	;;
+  
+ *)
+-	export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
++	libvar=LD_LIBRARY_PATH
+ 	;;
+ esac
++prepend_var $libvar $VIPSHOME/lib
+ 
+ # add VIPS bin area to path
+-export PATH=$VIPSHOME/bin:$PATH
++prepend_var PATH $VIPSHOME/bin
+ 
+ # run, passing in args we were passed
+ exec $*
Index: debian/patches/series
===================================================================
--- debian/patches/series	(.../tags/7.20.7-1)	(revision 1488)
+++ debian/patches/series	(.../branches/7.20)	(revision 1488)
@@ -0,0 +1 @@
+ld-library-path.patch

Index: debian/changelog
===================================================================
--- debian/changelog	(.../tags/7.20.7-2)	(revision 1487)
+++ debian/changelog	(.../branches/7.20)	(revision 1487)
@@ -1,3 +1,10 @@
+nip2 (7.20.7-3) testing-proposed-updates; urgency=low
+
+  * Backport fix to CVE-2010-3364 (insecure library loading) from 7.22.3
+    release.
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sun, 10 Oct 2010 15:17:11 -0400
+
 nip2 (7.20.7-2) unstable; urgency=low
 
   * Updated build dependencies: libjpeg62-dev -> libjpeg-dev
Index: debian/patches/ld-library-path.patch
===================================================================
--- debian/patches/ld-library-path.patch	(.../tags/7.20.7-2)	(revision 0)
+++ debian/patches/ld-library-path.patch	(.../branches/7.20)	(revision 1487)
@@ -0,0 +1,51 @@
+Description: fix to CVE-2010-3364 backported from upstream
+ Prevent insecure prepend to LD_LIBRARY_PATH
+Origin: upstream, backported from 7.22.3
+
+Index: nip2-7.20.7/src/run-nip2.sh
+===================================================================
+--- nip2-7.20.7.orig/src/run-nip2.sh	2010-10-10 15:16:22.548170830 -0400
++++ nip2-7.20.7/src/run-nip2.sh	2010-10-10 15:16:24.440170867 -0400
+@@ -9,6 +9,19 @@
+ # name we were invoked as
+ bname=`basename $0`
+ 
++# prepend a path component to an environment variable
++# be careful to avoid trailing : characters if the var is not defined, they
++# can cause security problems
++function prepend_var () {
++	# we have to use eval to do double indirection, I think
++	eval value="\$$1"
++	if [ "x$value" = x ]; then
++		export $1=$2
++	else 
++		export $1=$2:$value
++	fi
++}
++
+ # try to extract the prefix from a path to an executable
+ # eg. "/home/john/vips/bin/fred" -> "/home/john/vips"
+ function find_prefix () {
+@@ -85,17 +98,18 @@
+ # add the VIPS lib area to the library path
+ case `uname` in
+ HPUX)
+-	export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH
++	libvar=SHLIB_PATH 
+ 	;;
+ 
+ Darwin)
+-	export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH
++	libvar=DYLD_LIBRARY_PATH
+ 	;;
+- 
++
+ *)
+-	export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
++	libvar=LD_LIBRARY_PATH
+ 	;;
+ esac
++prepend_var $libvar $VIPSHOME/lib
+ 
+ # stop LD_PRELOAD messing up our libraries
+ unset LD_PRELOAD
Index: debian/patches/series
===================================================================
--- debian/patches/series	(.../tags/7.20.7-2)	(revision 1487)
+++ debian/patches/series	(.../branches/7.20)	(revision 1487)
@@ -0,0 +1 @@
+ld-library-path.patch

Reply to:

Follow-Ups:
- Re: backport of CVE-2010-3364 to vips/nip2 in testing
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: advice for syncevolution in squeeze
Next by Date: NEW changes in proposedupdates
Previous by thread: Re: advice for syncevolution in squeeze
Next by thread: Re: backport of CVE-2010-3364 to vips/nip2 in testing
Index(es):
- Date
- Thread