Your message dated Sun, 24 Oct 2010 06:02:07 +0000 with message-id <e1p9teh-0007pr...@franck.debian.org> and subject line Bug#598299: fixed in mono-debugger 2.6.3-2.1 has caused the Debian Bug report #598299, regarding mono-debugger: CVE-2010-3369: insecure library loading to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 598299: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598299 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mono-debugger Version: 2.4.3-2 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/mdb-symbolreader line 2: export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}" /usr/bin/mdb line 2: export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}" When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3369. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3369 [1] http://security-tracker.debian.org/tracker/CVE-2010-3369 Sincerely, Raphael Geissert
--- End Message ---
--- Begin Message ---Source: mono-debugger Source-Version: 2.6.3-2.1 We believe that the bug you reported is fixed in the latest version of mono-debugger, which is due to be installed in the Debian FTP archive: mono-debugger_2.6.3-2.1.diff.gz to main/m/mono-debugger/mono-debugger_2.6.3-2.1.diff.gz mono-debugger_2.6.3-2.1.dsc to main/m/mono-debugger/mono-debugger_2.6.3-2.1.dsc mono-debugger_2.6.3-2.1_i386.deb to main/m/mono-debugger/mono-debugger_2.6.3-2.1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 598...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jari Aalto <jari.aa...@cante.net> (supplier of updated mono-debugger package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 18 Oct 2010 13:01:07 +0300 Source: mono-debugger Binary: mono-debugger Architecture: source i386 Version: 2.6.3-2.1 Distribution: unstable Urgency: low Maintainer: Debian Mono Group <pkg-mono-gr...@lists.alioth.debian.org> Changed-By: Jari Aalto <jari.aa...@cante.net> Description: mono-debugger - Debugger for Mono Closes: 598299 Changes: mono-debugger (2.6.3-2.1) unstable; urgency=low . * Non-maintainer upload. * debian/patches - (CVE-*): New patch. Fix CVE-2010-3369 insecure library loading (grave, security; Closes: #598299). Checksums-Sha1: 8acbf5ae476fa1e921dfdf0217a85354f757f93e 2082 mono-debugger_2.6.3-2.1.dsc 83a82b70be00e92a78058fce6398c5ac93121b2b 8839 mono-debugger_2.6.3-2.1.diff.gz 26200db980fc663658d7c00b5c4c6474551dd473 1010598 mono-debugger_2.6.3-2.1_i386.deb Checksums-Sha256: 48f1f5c0d7ca14522364a2ccd4ebee08a93a54a271ad5f6c8c87eaf3a1e8bf25 2082 mono-debugger_2.6.3-2.1.dsc 7307b2146d1af0431b23f2a57cb0de074af22b94883b06b47f0876735814f8e1 8839 mono-debugger_2.6.3-2.1.diff.gz c8e6b738a2efa076dd852c1a5f42866be342a1345a8ce93281a4f290239b4b29 1010598 mono-debugger_2.6.3-2.1_i386.deb Files: 059880a2c802443ec50290a2fb4e6f35 2082 devel optional mono-debugger_2.6.3-2.1.dsc 60a8c6fbeededa6285fafa5a11d7c8b4 8839 devel optional mono-debugger_2.6.3-2.1.diff.gz a65ca42b8bde943a18da289407ee97ae 1010598 devel optional mono-debugger_2.6.3-2.1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMvG/ZAAoJECHSBYmXSz6WihUP/3rIFElJRls3PKy2a/08J38d wPojs8SAfgwQ+L8y14/KUV04Rf8Ct3zvtMq0P9kLzc5cfnspFNVCBtTV2RXgnRjE Nqz0Po1uZuy4ChBNkKqHu/0tByjh1vCBamSUMWowyV7rcCzJsJ9f4LwqUpaI5x8d gnLGRC8q4zFbe5Bw4xvO/IarTlLDoABAiqXZVXF5AgNK9/n7VOUdIjSzEiDouGmJ ElAFFX/eaxoJ0U3l0fCT5lfJxLDxmlxJzATQ+OC7O3ImZl00rH1c3t/zdepAD63b dA40W1JyeE0qZMK1r8WkgZVPR81Li53L/SY1stVGWJqZaUPRxT0QGLMHpyqiyjKo hiCGg5+IeGdzTVuYbPFpd/shE3WZKVsookuI9BCJpu4ALxSQW7Vkww0JUML/40oC HU9U0oJ7GBlbIN0lI4n9L4ByqevnffUdj6l/eD8zLxqkYwqFbKnG85PkpDF1tfyP 6EQ3gAZctrh/c0+Zb3MSl8svdINClUswYz43aMIdaLz0IKBLge2kF1IA8Zfrnmd8 HMo3evXpGigXBjrLpSTZ46O+afDwsFiAuDditfrRzbVVQ4suWNgo1iv3ISAacpO3 PptN8yqRP7YkBoFed6YG5PmnUrirtHHsBGuAWvtCFECvxV2ffYT/ZnpX6rbBaQwd s88j0pljT4TLwT2st/ko =UJqd -----END PGP SIGNATURE-----
--- End Message ---
