Bug#600667: marked as done (eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path)

Sat, 26 Feb 2011 02:33:22 -0800 

Your message dated Sat, 26 Feb 2011 11:30:41 +0100
with message-id <20110226103041.gc24...@hall.aurel32.net>
and subject line Re: Bug#600667: Fw: re: eglibc: cve-2010-3847 dynamic linker 
expands $ORIGIN in setuid library search path
has caused the Debian Bug report #600667,
regarding eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid 
library search path
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
600667: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
package: eglibc
version: 2.11.2-6
severity: grave
tag: patch

an issue has been disclosed in eglibc.  see:
http://seclists.org/fulldisclosure/2010/Oct/257

patch available:
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html

best wishes,
mike

--- End Message ---
--- Begin Message --- 
On Mon, Feb 07, 2011 at 01:17:54AM +0100, Aurelien Jarno wrote:
> On Tue, Feb 01, 2011 at 09:19:53PM -0500, Michael Gilbert wrote:
> > reopen 600667
> > thanks
> > 
> > Maybe I'm reading things wrong, or maybe Mitre's information is
> > actually incorrect, but it looks like the fixes claimed for
> > CVE-2010-3847 in 2.11.2-8 actually address CVE-2010-3856 [0] instead.
> > It looks like CVE-2010-3847 [1] is still unfixed.  The original fix in
> > -7 may have been correct to begin with?
> > 
> 
> We have removed the fix in -7 because:
> - it has been removed in the new upload to lenny
> - it never went upstream.
> 
> It has been replaced by this commit instead:
> http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html
> 
> So I don't think there is any security issue left with the current 
> patch set.
> 

Given I have got no answer, I guess everybody agrees the bug is really
fixed. Closing it.

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
aurel...@aurel32.net                 http://www.aurel32.net

--- End Message ---

Reply via email to