vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a zero-length directory name in the LD_LIBRARY_PATH

I feel that this issue requires a CVE to be issued, please refer to a similar bug which had a CVE issued here => https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/930854

I was referring to the issue that would arise by using the upstream patch and not the current issue(for which there is CVE-2010-3387).

Sorry for the confusion.

Zubin,

*If* the patch you showed had been used, yes, it would have introduced a security bug. However, please read the debian bug report completely, where it's pointed out that the fix that leaves the colon in place is wrong and is later addressed. The correct fix is:

-LANG=C LD_LIBRARY_PATH="/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" \
+LANG=C LD_LIBRARY_PATH="/usr/lib/debug${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" \

which is indeed the fix that went in to the debian package in1.6.0-19.1 , and by extension, the natty version. You can see the specific change here:

  http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/25#debian/vdrleaktest

So I'm failing to see where an additional CVE needs to be assigned. Can you please clarify?

Ah, sorry, I'm the one that's confused, I see

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/24#debian/vdrleaktest

now. While it's true that CVE numbers can be assigned for incomplete fixes or fixes that introduce new vulnerabilities, the issue here is minor enough to not bother. But I'll ask for additional opinions on this.

After discussing it with other members of the Ubuntu Security Team, I still believe this does not warrant an addition CVE number, as the buggy version only made it into the Debian and Ubuntu archives briefly and were not included in any formal released version.

However, if you disagree with this opinion, you can always ask for a CVE assignment on the oss-security email list http://oss-security.openwall.org/wiki/mailing-lists/oss-security . Either way, any proposed fix to vdr should include both commits that I listed above.

Oh, as they were not included in any formal released version I too think now that a CVE would be unnecessary. I'll attach a debdiff for the same asap.

Please find attached the debdiff for the same.

Thanks, looks pretty good. The version needs a minor adjustment (ubuntu1.1 rather than 2, see documentation at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging). Would you like to prepare a debdiff for lucid as well? It has the same code and should be entirely straightforward.

Thanks again for helping to improve Ubuntu!

Oh, one more thing I needed to edit with your debdiff; security updates need to be targeted to RELEASE-security instead of just RELEASE, so in this case it needs to be targeted to maverick-security.

This bug was fixed in the package vdr - 1.6.0-18ubuntu1.1

---------------
vdr (1.6.0-18ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a
    zero-length directory name in the LD_LIBRARY_PATH, which allows local users
    to gain privileges via a Trojan horse shared library in the current working
    directory. (LP: #930700)
    - http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/24#debian/vdrleaktest
      and
      http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/25#debian/vdrleaktest
    - debian/vdrtestleak: changed to set LD_LIBRARY_PATH securely
    - CVE-2010-3387
 -- Zubin Mithra <email address hidden> Tue, 14 Feb 2012 10:38:34 -0800