On Mon, Oct 4, 2010 at 14:26:26 -0700, John Stamp wrote:
> Hello,
>
> Bug#598294: lastfm: CVE-2010-3362: insecure library loading also affects
> the version in stable. I notified the security team, but Moritz told me
> that this does not warrant a DSA. He suggested that I instead get this
> fixed through a stable point update.
>
> The proposed diff is below:
>
> diff --git a/debian/changelog b/debian/changelog
> index 857c175..dce2413 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +lastfm (1:1.5.1.31879.dfsg-1+lenny1) stable-security; urgency=high
> +
> + * Fix CVE-2010-3362: insecure library loading
> +
> + -- John Stamp <jstamp@users.sourceforge.net> Thu, 30 Sep 2010 15:39:42 -0700
> +
> lastfm (1:1.5.1.31879.dfsg-1) unstable; urgency=low
>
> * New upstream.
> diff --git a/debian/lastfm.sh b/debian/lastfm.sh
> index 34a2487..aef3654 100644
> --- a/debian/lastfm.sh
> +++ b/debian/lastfm.sh
> @@ -1,5 +1,5 @@
> #!/bin/sh
>
> RUNDIR="/usr/lib/lastfm"
> -export LD_LIBRARY_PATH="${RUNDIR}:${LD_LIBRARY_PATH}"
> +export LD_LIBRARY_PATH="${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> exec "${RUNDIR}/last.fm" "$@"
>
> Is this OK to upload?
>
The changelog should say 'stable' rather than 'stable-security'. Other
than this, please go ahead.
Cheers,
Julien
Attachment:
signature.asc
Description: Digital signature