backport of CVE-2010-3364 to vips/nip2 in stable
The security team is not interested in doing a DSA to fix the
CVE-2010-3364, but since I already prepared a diff for stable, maybe
you'd be interested it including it in a stable point release. Though
actually, this is not really an important fix since there's no reason
for a debian user to ever run these wrapper scripts. Their main goal is
to allow running vips or nip2 when relocated to a non-standard
location. So it wouldn't offend me at all if you just decided to
disregard the change for stable and testing.
--
Jay Berkenbilt <qjb@debian.org>
diff -urN ../vips-7.14.5.orig/debian/changelog ./debian/changelog
--- ../vips-7.14.5.orig/debian/changelog 2010-10-10 15:32:50.000000000 -0400
+++ ./debian/changelog 2010-10-10 15:36:53.353465606 -0400
@@ -1,3 +1,10 @@
+vips (7.14.5-2) stable-proposed-updates; urgency=low
+
+ * Backport fix to CVE-2010-3364 (insecure library loading) from 7.22.4
+ release.
+
+ -- Jay Berkenbilt <qjb@debian.org> Sun, 10 Oct 2010 15:36:22 -0400
+
vips (7.14.5-1) unstable; urgency=low
* New upstream release
diff -urN ../vips-7.14.5.orig/debian/patches/ld-library-path.patch ./debian/patches/ld-library-path.patch
--- ../vips-7.14.5.orig/debian/patches/ld-library-path.patch 1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/ld-library-path.patch 2010-10-10 15:35:08.762072426 -0400
@@ -0,0 +1,60 @@
+Description: fix to CVE-2010-3364 backported from upstream
+ Prevent insecure prepend to LD_LIBRARY_PATH
+Origin: upstream, backported from 7.22.4
+
+Index: vips-7.14.5/src/scripts/vips-7.14
+===================================================================
+--- vips-7.14.5.orig/src/scripts/vips-7.14 2010-10-10 15:34:26.020170847 -0400
++++ vips-7.14.5/src/scripts/vips-7.14 2010-10-10 15:34:40.320170570 -0400
+@@ -19,6 +19,19 @@
+ exit 1
+ fi
+
++# prepend a path component to an environment variable
++# be careful to avoid trailing : characters if the var is not defined, they
++# can cause security problems
++function prepend_var () {
++ # we have to use eval to do double indirection, I think
++ eval value="\$$1"
++ if [ "x$value" = x ]; then
++ export $1=$2
++ else
++ export $1=$2:$value
++ fi
++}
++
+ # try to extract the prefix from a path to an executable
+ # eg. "/home/john/vips/bin/fred" -> "/home/john/vips"
+ function find_prefix () {
+@@ -92,25 +105,26 @@
+ export VIPSHOME=$prefix
+
+ # add VIPSHOME to man pages
+-export MANPATH=$VIPSHOME/man:$MANPATH
++prepend_var MANPATH $VIPSHOME/man
+
+ # add the VIPS lib area to the library path
+ case `uname` in
+ HPUX)
+- export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH
++ libvar=SHLIB_PATH
+ ;;
+
+ Darwin)
+- export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH
++ libvar=DYLD_LIBRARY_PATH
+ ;;
+
+ *)
+- export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
++ libvar=LD_LIBRARY_PATH
+ ;;
+ esac
++prepend_var $libvar $VIPSHOME/lib
+
+ # add VIPS bin area to path
+-export PATH=$VIPSHOME/bin:$PATH
++prepend_var PATH $VIPSHOME/bin
+
+ # run, passing in args we were passed
+ exec $*
diff -urN ../vips-7.14.5.orig/debian/patches/series ./debian/patches/series
--- ../vips-7.14.5.orig/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/series 2010-10-10 15:34:05.600170527 -0400
@@ -0,0 +1 @@
+ld-library-path.patch
diff -urN ../nip2-7.14.5.orig/debian/changelog ./debian/changelog
--- ../nip2-7.14.5.orig/debian/changelog 2010-10-10 15:38:26.000000000 -0400
+++ ./debian/changelog 2010-10-10 15:40:26.647913776 -0400
@@ -1,3 +1,10 @@
+nip2 (7.14.5-2) stable-proposed-updates; urgency=low
+
+ * Backport fix to CVE-2010-3364 (insecure library loading) from 7.22.3
+ release.
+
+ -- Jay Berkenbilt <qjb@debian.org> Sun, 10 Oct 2010 15:40:14 -0400
+
nip2 (7.14.5-1) unstable; urgency=low
* New upstream release
diff -urN ../nip2-7.14.5.orig/debian/patches/ld-library-path.patch ./debian/patches/ld-library-path.patch
--- ../nip2-7.14.5.orig/debian/patches/ld-library-path.patch 1969-12-31 19:00:00.000000000 -0500
+++ ./debian/patches/ld-library-path.patch 2010-10-10 15:39:48.715671279 -0400
@@ -0,0 +1,51 @@
+Description: fix to CVE-2010-3364 backported from upstream
+ Prevent insecure prepend to LD_LIBRARY_PATH
+Origin: upstream, backported from 7.22.3
+
+Index: nip2-7.14.5/src/run-nip2.sh
+===================================================================
+--- nip2-7.14.5.orig/src/run-nip2.sh 2010-10-10 15:39:23.828170994 -0400
++++ nip2-7.14.5/src/run-nip2.sh 2010-10-10 15:39:26.175670664 -0400
+@@ -9,6 +9,19 @@
+ # name we were invoked as
+ bname=`basename $0`
+
++# prepend a path component to an environment variable
++# be careful to avoid trailing : characters if the var is not defined, they
++# can cause security problems
++function prepend_var () {
++ # we have to use eval to do double indirection, I think
++ eval value="\$$1"
++ if [ "x$value" = x ]; then
++ export $1=$2
++ else
++ export $1=$2:$value
++ fi
++}
++
+ # try to extract the prefix from a path to an executable
+ # eg. "/home/john/vips/bin/fred" -> "/home/john/vips"
+ function find_prefix () {
+@@ -85,17 +98,18 @@
+ # add the VIPS lib area to the library path
+ case `uname` in
+ HPUX)
+- export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH
++ libvar=SHLIB_PATH
+ ;;
+
+ Darwin)
+- export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH
++ libvar=DYLD_LIBRARY_PATH
+ ;;
+-
++
+ *)
+- export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
++ libvar=LD_LIBRARY_PATH
+ ;;
+ esac
++prepend_var $libvar $VIPSHOME/lib
+
+ # stop LD_PRELOAD messing up our libraries
+ unset LD_PRELOAD
diff -urN ../nip2-7.14.5.orig/debian/patches/series ./debian/patches/series
--- ../nip2-7.14.5.orig/debian/patches/series 2010-10-10 15:38:26.000000000 -0400
+++ ./debian/patches/series 2010-10-10 15:38:55.324170927 -0400
@@ -1 +1,2 @@
+ld-library-path.patch
desktop.patch
Reply to: