Your message dated Sun, 19 Dec 2010 14:33:30 +0000
with message-id <[email protected]>
and subject line Bug#606151: fixed in nordugrid-arc-nox 1.1.0~rc6-2.1
has caused the Debian Bug report #606151,
regarding nordugrid-arc-nox-arex: CVE-2010-3372: insecure library loading
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
606151: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nordugrid-arc-nox-arex
Version: 1.1.0~rc6-2+b1
Severity: grave
Tags: security
User: [email protected]
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/etc/init.d/a-rex line 281:
LD_LIBRARY_PATH=$ARC_LOCATION/lib:$LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
This vulnerability has been assigned the CVE id CVE-2010-3372. Please make
sure you mention it when fixing this bug.
You should coordinate with the release team in order to fix this bug
for Squeeze.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3372
[1] http://security-tracker.debian.org/tracker/CVE-2010-3372
Sincerely,
Raphael Geissert
--- End Message ---
--- Begin Message ---
Source: nordugrid-arc-nox
Source-Version: 1.1.0~rc6-2.1
We believe that the bug you reported is fixed in the latest version of
nordugrid-arc-nox, which is due to be installed in the Debian FTP archive:
nordugrid-arc-nox-arex_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-arex_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-charon_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-charon_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-client_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-client_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-compiler_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-compiler_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-dbg_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-dbg_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-delegation_1.1.0~rc6-2.1_amd64.deb
to
main/n/nordugrid-arc-nox/nordugrid-arc-nox-delegation_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-dev_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-dev_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-doc_1.1.0~rc6-2.1_all.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-doc_1.1.0~rc6-2.1_all.deb
nordugrid-arc-nox-hed_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-hed_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-hopi_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-hopi_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-isis_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-isis_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-janitor_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-janitor_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-java_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-java_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-paul_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-paul_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-plugins-base_1.1.0~rc6-2.1_amd64.deb
to
main/n/nordugrid-arc-nox/nordugrid-arc-nox-plugins-base_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-plugins-globus_1.1.0~rc6-2.1_amd64.deb
to
main/n/nordugrid-arc-nox/nordugrid-arc-nox-plugins-globus_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-python_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-python_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-saml2sp_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-saml2sp_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox-slcs_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox-slcs_1.1.0~rc6-2.1_amd64.deb
nordugrid-arc-nox_1.1.0~rc6-2.1.debian.tar.gz
to main/n/nordugrid-arc-nox/nordugrid-arc-nox_1.1.0~rc6-2.1.debian.tar.gz
nordugrid-arc-nox_1.1.0~rc6-2.1.dsc
to main/n/nordugrid-arc-nox/nordugrid-arc-nox_1.1.0~rc6-2.1.dsc
nordugrid-arc-nox_1.1.0~rc6-2.1_amd64.deb
to main/n/nordugrid-arc-nox/nordugrid-arc-nox_1.1.0~rc6-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <[email protected]> (supplier of updated nordugrid-arc-nox
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 18 Dec 2010 13:36:49 +0000
Source: nordugrid-arc-nox
Binary: nordugrid-arc-nox nordugrid-arc-nox-client nordugrid-arc-nox-hed
nordugrid-arc-nox-charon nordugrid-arc-nox-hopi nordugrid-arc-nox-isis
nordugrid-arc-nox-compiler nordugrid-arc-nox-delegation nordugrid-arc-nox-paul
nordugrid-arc-nox-saml2sp nordugrid-arc-nox-slcs nordugrid-arc-nox-arex
nordugrid-arc-nox-plugins-base nordugrid-arc-nox-plugins-globus
nordugrid-arc-nox-dev nordugrid-arc-nox-python nordugrid-arc-nox-java
nordugrid-arc-nox-doc nordugrid-arc-nox-janitor nordugrid-arc-nox-dbg
Architecture: source amd64 all
Version: 1.1.0~rc6-2.1
Distribution: unstable
Urgency: high
Maintainer: Anders Waananen <[email protected]>
Changed-By: Jonathan Wiltshire <[email protected]>
Description:
nordugrid-arc-nox - ARC grid middleware
nordugrid-arc-nox-arex - ARC Remote EXecution service
nordugrid-arc-nox-charon - ARC Charon service
nordugrid-arc-nox-client - ARC prototype clients
nordugrid-arc-nox-compiler - ARC compiler service
nordugrid-arc-nox-dbg - ARC grid middleware - Debug Symbols
nordugrid-arc-nox-delegation - ARC delegation service
nordugrid-arc-nox-dev - ARC development files
nordugrid-arc-nox-doc - ARC API documentation
nordugrid-arc-nox-hed - ARC Hosting Environment Daemon
nordugrid-arc-nox-hopi - ARC Hopi service
nordugrid-arc-nox-isis - ARC Isis service
nordugrid-arc-nox-janitor - ARC dynamic runtime environment installation
nordugrid-arc-nox-java - ARC Java wrapper
nordugrid-arc-nox-paul - ARC paul service
nordugrid-arc-nox-plugins-base - ARC base plugins
nordugrid-arc-nox-plugins-globus - ARC Globus plugins
nordugrid-arc-nox-python - ARC Python wrapper
nordugrid-arc-nox-saml2sp - ARC saml2sp service
nordugrid-arc-nox-slcs - ARC slcs service
Closes: 606151
Changes:
nordugrid-arc-nox (1.1.0~rc6-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2010-3372: Fix insecure library loading. Patch
cherry-picked from upstream (closes: #606151)
Checksums-Sha1:
d4760c9f17f0a9704b537159807a7ac81ddf012c 3095
nordugrid-arc-nox_1.1.0~rc6-2.1.dsc
21443300c80bbfeddddb16c90a2d5642d49148bd 18886
nordugrid-arc-nox_1.1.0~rc6-2.1.debian.tar.gz
3c1360a09dba23e0ba5c85619176506782b24472 1332322
nordugrid-arc-nox_1.1.0~rc6-2.1_amd64.deb
782ee38d96f097045a530b7989a005702c1825be 534408
nordugrid-arc-nox-client_1.1.0~rc6-2.1_amd64.deb
fcde9c00b8eaf1fe3ecd5269cd54cc50d1a9680e 95594
nordugrid-arc-nox-hed_1.1.0~rc6-2.1_amd64.deb
4c7ed7806070ed94611a92fe1f49f5d6baade7aa 33196
nordugrid-arc-nox-charon_1.1.0~rc6-2.1_amd64.deb
ea73e22171bb627088a5c620dc4cbf9877392b47 37970
nordugrid-arc-nox-hopi_1.1.0~rc6-2.1_amd64.deb
3b8873ee9cc816191e8c3ead3c51809457527806 79894
nordugrid-arc-nox-isis_1.1.0~rc6-2.1_amd64.deb
e828ef62b397bbd53e304ebeab78f857dfa2c2ba 91302
nordugrid-arc-nox-compiler_1.1.0~rc6-2.1_amd64.deb
7be94289fa20e9df37c81f5f1d6007444ab9eabf 46912
nordugrid-arc-nox-delegation_1.1.0~rc6-2.1_amd64.deb
3e8ecd6d799c729a127efdcd1a2b65ce3c6007bc 225716
nordugrid-arc-nox-paul_1.1.0~rc6-2.1_amd64.deb
2b10f5f81041f5ed96c92a1a81c7536f5784a582 30204
nordugrid-arc-nox-saml2sp_1.1.0~rc6-2.1_amd64.deb
27c493fc0073aa57d361bb7a4987e2c4f12f3ca4 21998
nordugrid-arc-nox-slcs_1.1.0~rc6-2.1_amd64.deb
fcede4d83373fcb90e26e054de3babb3512018b4 1173558
nordugrid-arc-nox-arex_1.1.0~rc6-2.1_amd64.deb
82a36590dfb37812f0a866be2c4af2969d8aaa73 916996
nordugrid-arc-nox-plugins-base_1.1.0~rc6-2.1_amd64.deb
24af2b49b0736aa5ef9f54279930134642eb344a 663218
nordugrid-arc-nox-plugins-globus_1.1.0~rc6-2.1_amd64.deb
39f9711f36610a2db847d8a39633596b38ae15b8 199436
nordugrid-arc-nox-dev_1.1.0~rc6-2.1_amd64.deb
8abd4eb9b6b28e792cb2215a2c2f3638b9f4d7f3 1077962
nordugrid-arc-nox-python_1.1.0~rc6-2.1_amd64.deb
d2e2d5d25a73deb9b4d3575e7e0999a9e8d7e1ba 441242
nordugrid-arc-nox-java_1.1.0~rc6-2.1_amd64.deb
04bd64d5f862c01ca54cb9cfef299305d6299557 69996
nordugrid-arc-nox-janitor_1.1.0~rc6-2.1_amd64.deb
039f4192355f84b3b719f381075ca225497ea295 31883514
nordugrid-arc-nox-dbg_1.1.0~rc6-2.1_amd64.deb
1fae4c158015462698b82298f16b582959a95f2b 5750566
nordugrid-arc-nox-doc_1.1.0~rc6-2.1_all.deb
Checksums-Sha256:
c1deeaa74499da267e34cc842f9ff46e7681e372373688c20b00170358beb96b 3095
nordugrid-arc-nox_1.1.0~rc6-2.1.dsc
983a68ff6cf44916e7aea59570bbc47a1b8dfa0827902977794aa3d8654dab30 18886
nordugrid-arc-nox_1.1.0~rc6-2.1.debian.tar.gz
acc916266dd776c28c3eb4c57c34643fb809746334600b3546e11d3c8b0062c9 1332322
nordugrid-arc-nox_1.1.0~rc6-2.1_amd64.deb
e5edc3e8389ef934e01497a8967156e2fdade24b5e4867edea271ed2e71d9a33 534408
nordugrid-arc-nox-client_1.1.0~rc6-2.1_amd64.deb
6b6c0ed9b51c1e58842a9ba34b72dd970a1edee8c9f75c210ff2036526771830 95594
nordugrid-arc-nox-hed_1.1.0~rc6-2.1_amd64.deb
0a2c31688c39c80b43b243a3795e7cb25a9e996ba326572a09e6fe7cef9bda2c 33196
nordugrid-arc-nox-charon_1.1.0~rc6-2.1_amd64.deb
3b33a97716dcb3597381a89a8507c7c7cf0adbc1329a8a779a2ce35b963ee614 37970
nordugrid-arc-nox-hopi_1.1.0~rc6-2.1_amd64.deb
2ee970385823441e44738e15809f548dc75bf612f7d8aba3bbb559d46cb6543a 79894
nordugrid-arc-nox-isis_1.1.0~rc6-2.1_amd64.deb
39fe1c0c50b455cdadf4cc8623f8772437d2b6858512d040d09dc55c14b92971 91302
nordugrid-arc-nox-compiler_1.1.0~rc6-2.1_amd64.deb
cce7cf8f9dffa29eb240e8ae5415032f995c45cd8c88803aec6e1e5601cf27b5 46912
nordugrid-arc-nox-delegation_1.1.0~rc6-2.1_amd64.deb
f7801fba09ffd370ccd332f5789ae3ca18cdc9d09bd115c432d04d1eeed8b277 225716
nordugrid-arc-nox-paul_1.1.0~rc6-2.1_amd64.deb
69b7fd89a244d5f073089690d96af8f64bccc859f833a1e7812b94b66669224e 30204
nordugrid-arc-nox-saml2sp_1.1.0~rc6-2.1_amd64.deb
23ae79c00d4f53a7c93164b6705bd1e2ff773afb9edafd25de1f67a094742159 21998
nordugrid-arc-nox-slcs_1.1.0~rc6-2.1_amd64.deb
26e31c34fcd9bd265c6804835f3fc2cff7226fccfc7fe9b1a2a938194b75b41c 1173558
nordugrid-arc-nox-arex_1.1.0~rc6-2.1_amd64.deb
aafc92277ac04e9d5956fc87c7203e6124ffedad96904a93fcf4123b9169efcc 916996
nordugrid-arc-nox-plugins-base_1.1.0~rc6-2.1_amd64.deb
c6f3654951e2476aee5c2f2a61f75410261f2fdf0e25017ae5d7a89fdaddd52b 663218
nordugrid-arc-nox-plugins-globus_1.1.0~rc6-2.1_amd64.deb
c40d3dca56c93e439155a46eb4808fa8753af806ced7a331d70a791aa2fe018d 199436
nordugrid-arc-nox-dev_1.1.0~rc6-2.1_amd64.deb
015f001955842e9e2c871a78bcc6cfcfa98f56144a9bd83e1f7c5aefe8d4c635 1077962
nordugrid-arc-nox-python_1.1.0~rc6-2.1_amd64.deb
3b78667213d87de3d0b2c4bc04d37102316c1148e1b789b624987db0f85f2f6e 441242
nordugrid-arc-nox-java_1.1.0~rc6-2.1_amd64.deb
6228d64bf7359220c520aa80def20316982027ea6fbc03f7884e23f012851cdd 69996
nordugrid-arc-nox-janitor_1.1.0~rc6-2.1_amd64.deb
94c1cfda022d4f527ecd178d832d4fd6cfb9256d3e2f6c0624b3e8c2db205d3d 31883514
nordugrid-arc-nox-dbg_1.1.0~rc6-2.1_amd64.deb
d27e04c3e8194490f80220d5a609e31726e38ce3a399102f538d6a128a28df5b 5750566
nordugrid-arc-nox-doc_1.1.0~rc6-2.1_all.deb
Files:
271ac3c5e3bb0257a513ff0ef3b8ffb6 3095 net optional
nordugrid-arc-nox_1.1.0~rc6-2.1.dsc
3e5e190650509fafb6103b05cb75b234 18886 net optional
nordugrid-arc-nox_1.1.0~rc6-2.1.debian.tar.gz
93a5a9682d64de3030f94db980467a99 1332322 net optional
nordugrid-arc-nox_1.1.0~rc6-2.1_amd64.deb
754fa7b1bcf3b3eebf89de1d46a99c7b 534408 net optional
nordugrid-arc-nox-client_1.1.0~rc6-2.1_amd64.deb
c49e0c0879747fe6bed4ece6d6381e39 95594 net optional
nordugrid-arc-nox-hed_1.1.0~rc6-2.1_amd64.deb
009a14fe55782c6cfc4b1717544ce3e7 33196 net optional
nordugrid-arc-nox-charon_1.1.0~rc6-2.1_amd64.deb
721c96eaa3e6711a676e211f9d09c01e 37970 net optional
nordugrid-arc-nox-hopi_1.1.0~rc6-2.1_amd64.deb
0f0ec39dd11494d081b95b96473b9e03 79894 net optional
nordugrid-arc-nox-isis_1.1.0~rc6-2.1_amd64.deb
8045f8e9c60f6da5caa9586360919013 91302 net optional
nordugrid-arc-nox-compiler_1.1.0~rc6-2.1_amd64.deb
a92eb1409998aa11092815db892d76a3 46912 net optional
nordugrid-arc-nox-delegation_1.1.0~rc6-2.1_amd64.deb
970510b5cf02f88debfa9688050a3ca5 225716 net optional
nordugrid-arc-nox-paul_1.1.0~rc6-2.1_amd64.deb
8083a1bdbbe58cac14f6d3f951425d10 30204 net optional
nordugrid-arc-nox-saml2sp_1.1.0~rc6-2.1_amd64.deb
6480882dadd4f7ca81df03cb7c49e848 21998 net optional
nordugrid-arc-nox-slcs_1.1.0~rc6-2.1_amd64.deb
ca866c0e0395ea7d679c0e80b66d00d0 1173558 net optional
nordugrid-arc-nox-arex_1.1.0~rc6-2.1_amd64.deb
0e4f84ed3669f0993853086371adb97a 916996 net optional
nordugrid-arc-nox-plugins-base_1.1.0~rc6-2.1_amd64.deb
8c44518852927c12fde5393ffd0c6f50 663218 net optional
nordugrid-arc-nox-plugins-globus_1.1.0~rc6-2.1_amd64.deb
b11bc02a0f1b9face8f3d597a513f835 199436 net optional
nordugrid-arc-nox-dev_1.1.0~rc6-2.1_amd64.deb
dfe070b008c1e81febc598a19470f406 1077962 net optional
nordugrid-arc-nox-python_1.1.0~rc6-2.1_amd64.deb
d2fcbdcc8ee82348a904f7eea1827396 441242 net optional
nordugrid-arc-nox-java_1.1.0~rc6-2.1_amd64.deb
1ebeab08cd77c598cf1531a0d2c2d5f6 69996 net optional
nordugrid-arc-nox-janitor_1.1.0~rc6-2.1_amd64.deb
0c7ccc63a7eab6f973469d015eb0aba8 31883514 debug extra
nordugrid-arc-nox-dbg_1.1.0~rc6-2.1_amd64.deb
92b676788f401cdcb6e5b2fa92f4d223 5750566 doc optional
nordugrid-arc-nox-doc_1.1.0~rc6-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNDL4fAAoJEFOUR53TUkxRNegQAJkI/3+zj58UMwgS/CGIKhOx
YNIlV9y7+hc0wBBi27mGIL5bj+bA26UjAb/0JsdETaDJFzHCm6hY/w1zfbzz0jG4
jZ0LXnIO8DD4UWBV1b3u0W73ZdUkoBY20viOnvZZbB001xhpPg4j5okVQDKJ+C5N
aabGXJ2Y8qWFyIV/o3+fD0CumhtmaYAnKM6U6cQsSctKj8yUsjWkUPwJzjsBC4jB
c6NnODzcS4kimW3xnROxcggxfxxsRZsxRz1Ybv4ifYqQMbrh9+E435l5Vsz/cVE/
04NNotErxmmMGQi1fLDXeBvIvpM3AP0FG0Gi+pplM38/cT6tJ8ZX2SlRs9YHT3Ln
/XqCNd+7uCzRGd4vAkNbNBdYYAmfsm9BsozMpWrtjz/Newm/bXJPXkyjj35aYOsj
kFwVw2H/oB+Zt+bvQxq96+XYSrbptmwDTq+88lBQBL88DDSBQ9lVkHmd/LG0H7nn
b2iN6qhVPU1U415eV3i7EjGG1q03mRj4juT3SLp6tAxE8OenDBXckAYDpp9UnS4E
U3gDqYlfNOIx+fokvQIsyZkCkb+avzKuH0NMjW7QcVwsHQquPdQL4VjxXM4+Bw0L
4Z+iAZHB7qOVuNuA8r+/+oHM/5H0SJkJjiVXOS4tA36JNpjlND1dX35hbe8+qp4B
ETa4sulfMHZf4q1Nozcq
=uBGT
-----END PGP SIGNATURE-----
--- End Message ---
