Re: Bug#598309: Security unblock requests (ust/0.7-2.1)

To: Julien Cristau <jcristau@debian.org>, 598309@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
Subject: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
From: Jon Bernard <jbernard@debian.org>
Date: Wed, 1 Dec 2010 12:35:00 -0500
Message-id: <[🔎] 20101201173457.GA12435@starquasia>
Mail-followup-to: Julien Cristau <jcristau@debian.org>, 598309@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Jari Aalto <jari.aalto@cante.net>, debian-release@lists.debian.org
In-reply-to: <[🔎] 20101201170740.GV5063@radis.liafa.jussieu.fr>
References: <slrnibp0d1.39n.jmm@inutil.org> <slrnibuko1.290.jmm@inutil.org> <slrnic5lo0.2i9.jmm@inutil.org> <20101023131320.GS3167@radis.liafa.jussieu.fr> <87iq0fxr4f.fsf_-_@picasso.cante.net> <20101115184714.GB31998@inutil.org> <20101115221320.GA13388@starquasia> <20101117205109.GC3581@galadriel.inutil.org> <[🔎] 20101201165157.GB11972@starquasia> <[🔎] 20101201170740.GV5063@radis.liafa.jussieu.fr>

* Julien Cristau <jcristau@debian.org> wrote:
> On Wed, Dec  1, 2010 at 11:52:00 -0500, Jon Bernard wrote:
> 
> > diff -Nru ust-0.5/debian/changelog ust-0.5/debian/changelog
> > --- ust-0.5/debian/changelog	2010-07-02 11:34:52.000000000 -0400
> > +++ ust-0.5/debian/changelog	2010-11-30 21:23:43.000000000 -0500
> > @@ -1,3 +1,9 @@
> > +ust (0.5-1+squeeze1) testing; urgency=low
> > +
> > +  * Backport upstream fix for CVE-2010-3386 (Bug #598309)
> 
> You should close the bug in the changelog.

Good call, I'll s/Bug/Closes:/ in the upload.

> > +
> > + -- Jon Bernard <jbernard@debian.org>  Tue, 30 Nov 2010 21:21:25 -0500
> > +
> >  ust (0.5-1) unstable; urgency=low
> >  
> >    * [79cd16] Imported Upstream version 0.5
> > diff -Nru ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch
> > --- ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	1969-12-31 19:00:00.000000000 -0500
> > +++ ust-0.5/debian/patches/0001-Backport-upstream-fix-for-CVE-2010-3386-Bug-598309.patch	2010-11-30 21:23:43.000000000 -0500
> > @@ -0,0 +1,84 @@
> > +From: Jon Bernard <jbernard@debian.org>
> > +Date: Tue, 30 Nov 2010 13:40:04 -0500
> > +Subject: [PATCH] Backport upstream fix for CVE-2010-3386 (Bug #598309)
> > +
> > +When there's an empty item on the colon-separated list of
> > +LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given
> > +script (usttrace) is executed from a directory where a potential, local,
> > +attacker can write files to, there's a chance to exploit this bug.
> > +
> > +This patch was applied upstream in version 0.8.
> > +---
> > + usttrace |   47 +++++++++++++++++++++++++++++++++++++----------
> > + 1 files changed, 37 insertions(+), 10 deletions(-)
> > +
> > +diff --git a/usttrace b/usttrace
> > +index dc159f2..5fdb52f 100755
> > +--- a/usttrace
> > ++++ b/usttrace
> > +@@ -132,27 +132,54 @@ fi
> > + 
> > +     if [ "$arg_preload_libust" = "1" ];
> > +     then
> > +-	if [ -n "${LIBUST_PATH%libust.so}" ] ; then
> > +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	if [ -n "${LIBUST_PATH%libust.so}" ];
> > ++	then
> > ++		if [ -n "$LD_LIBRARY_PATH" ];
> > ++		then
> > ++			export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++		else
> > ++			export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> > ++		fi
> > ++	fi
> > ++	if [ -n "$LIBUST_PATH" ];
> > ++	then
> > ++		if [ -n "$LD_PRELOAD" ];
> > ++		then
> > ++			export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> > ++		else
> > ++			export LD_PRELOAD="$LIBUST_PATH"
> > ++		fi
> > + 	fi
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBUST_PATH"
> > +     fi
> > + 
> > +-    if [ "$arg_ld_std_ust" = "1" ];
> > ++    if [ "$arg_ld_std_ust" = "1" ] && [ -n "${LIBUST_PATH%libust.so}" ];
> > +     then
> > +-	if [ -n "$${LIBUST_PATH%libust.so}" ] ; then
> > +-	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	if [ -n "$LD_LIBRARY_PATH" ];
> > ++	then
> > ++		export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
> > ++	else
> > ++		export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
> > + 	fi
> > +     fi
> > + 
> > +-    if [ "$arg_preload_malloc" = "1" ];
> > ++    if [ "$arg_preload_malloc" = "1" ] && [ -n "$LIBMALLOCWRAP_PATH" ];
> > +     then
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> > ++	if [ -n "$LD_PRELOAD" ];
> > ++	then
> > ++		export LD_PRELOAD="$LD_PRELOAD:$LIBMALLOCWRAP_PATH"
> > ++	else
> > ++		export LD_PRELOAD="$LIBMALLOCWRAP_PATH"
> > ++	fi
> > +     fi
> > + 
> > +-    if [ "$arg_preload_fork" = "1" ];
> > ++    if [ "$arg_preload_fork" = "1" ] && [ -n "$LIBINTERFORK_PATH" ];
> > +     then
> > +-	export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> > ++	if [ -n "$LD_PRELOAD" ];
> > ++	then
> > ++		export LD_PRELOAD="$LD_PRELOAD:$LIBINTERFORK_PATH"
> > ++	else
> > ++		export LD_PRELOAD="$LIBINTERFORK_PATH"
> > ++	fi
> > +     fi
> > + 
> > + # Execute the command
> > +-- 
> 
> The patch seems overly complicated, but I guess if that's what upstream
> went with it's ok...
> (e.g. LIBUST_PATH, LIBINTERFORK_PATH and LIBMALLOCWRAP_PATH can never be
> empty, as far as I can tell)

Yes, I agree. My thinking is that if another issue arises with the
package, at least it will contain code that upstream is familiar with.

Otherwise, no objections to upload?

-- 
Jon

Reply to:

Follow-Ups:
- Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
  - From: Julien Cristau <jcristau@debian.org>

References:
- Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
  - From: Jon Bernard <jbernard@debian.org>
- Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#605598: unblock: iso-codes/3.23-1
Next by Date: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Previous by thread: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Next by thread: Re: Bug#598309: Security unblock requests (ust/0.7-2.1)
Index(es):
- Date
- Thread