Ubuntu
bareftp package

please update from 0.3.4-1 to 0.3.4-1.1 from Debian (unstable)

Bug #658997 reported by David Sugar
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bareftp (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Fix Released
Low
Unassigned
Maverick
Fix Released
Low
Unassigned
Natty
Fix Released
Low
Unassigned

Bug Description

Binary package hint: bareftp

There is a local exploit identified as release critical from Debian based on overriding LD_LIBRARY_PATH (http://bugs.debian.org/598284). We do not carry any patch for this package, and the only change from -1 to -1.1 is explicitly for this vulnerability. 0.3.4-1.1 does build on Maverick.

http://security-tracker.debian.org/tracker/CVE-2010-3350

Tags: maverick
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
Marc Deslauriers (mdeslaur)
Changed in bareftp (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Stefan Ebner (sebner) wrote :

Upgrade, fresh-install works fine. Application works after the upgrade/fresh-install without problems. (Sorry for the logs being in german)

meteyou@meteyou-G2SV:~/Desktop$ sudo dpkg -i bareftp_0.3.4-1.1ubuntu0.1_i386.deb
(Lese Datenbank ... 203833 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereiten zum Ersetzen von bareftp 0.3.4-1 (durch bareftp_0.3.4-1.1ubuntu0.1_i386.deb) ...
Entpacke Ersatz für bareftp ...
Richte bareftp ein (0.3.4-1.1ubuntu0.1) ...
Verarbeite Trigger für hicolor-icon-theme ...
Verarbeite Trigger für man-db ...
Verarbeite Trigger für bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Verarbeite Trigger für desktop-file-utils ...
Verarbeite Trigger für python-gmenu ...
Rebuilding /usr/share/applications/desktop.de_AT.utf8.cache...
Verarbeite Trigger für python-support ...

and

meteyou@meteyou-G2SV:~/Desktop$ sudo dpkg -i bareftp_0.3.4-1.1ubuntu0.1_i386.deb
Wähle vormals abgewähltes Paket bareftp.
(Lese Datenbank ... 203795 Dateien und Verzeichnisse sind derzeit installiert.)
Entpacke bareftp (aus bareftp_0.3.4-1.1ubuntu0.1_i386.deb) ...
Richte bareftp ein (0.3.4-1.1ubuntu0.1) ...
Verarbeite Trigger für hicolor-icon-theme ...
Verarbeite Trigger für man-db ...
Verarbeite Trigger für bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Verarbeite Trigger für desktop-file-utils ...
Verarbeite Trigger für python-gmenu ...
Rebuilding /usr/share/applications/desktop.de_AT.utf8.cache...
Verarbeite Trigger für python-support ...

Revision history for this message
Stefan Ebner (sebner) wrote :

Attaching buildlog too.

Revision history for this message
Stefan Ebner (sebner) wrote :

Actually diff between 0.3.4-1 and 0.3.4-1.1ubuntu0.1

Clint Byrum (clint-fewbar)
tags: added: maverick
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

So, this looks like it is only for maverick, and I've nominated it as such.

Tested building in a maverick-amd64 chroot, works.

Just one nit pick, the line says

    make sure LD_LIBRARY_PATH is always set to bareftp' standard library path

looks like its missing an s, should be

    make sure LD_LIBRARY_PATH is always set to bareftp's standard library path

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In addition to the grammar error, the version is incorrect and the changelog does not follow https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. In the interest of time, I will fix this up and upload.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Natty has 0.3.7-1, which is not affected.

Changed in bareftp (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in bareftp (Ubuntu Lucid):
status: New → In Progress
Changed in bareftp (Ubuntu Maverick):
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in bareftp (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in bareftp (Ubuntu Maverick):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand)
Changed in bareftp (Ubuntu Lucid):
importance: Undecided → Low
Changed in bareftp (Ubuntu Maverick):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bareftp - 0.3.4-1ubuntu0.1

---------------
bareftp (0.3.4-1ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: Insecure library loading (LP: #658997)
  - bareftp.in: make sure LD_LIBRARY_PATH is always set to bareftp's standard
    library path. Patch thanks to Stefan Ebner.
  - CVE-2010-3350
 -- Jamie Strandboge <email address hidden> Thu, 16 Dec 2010 15:27:47 -0600

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bareftp - 0.3.1-1ubuntu1.2

---------------
bareftp (0.3.1-1ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: Insecure library loading (LP: #658997)
  - bareftp.in: make sure LD_LIBRARY_PATH is always set to bareftp's standard
    library path. Patch thanks to Stefan Ebner.
  - CVE-2010-3350
 -- Jamie Strandboge <email address hidden> Thu, 16 Dec 2010 15:27:03 -0600

Changed in bareftp (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in bareftp (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.