lintian: CVE-2013-1429 - path traversal/information disclosure

Bug #1169636 reported by Niels Thykier on 2013-04-16
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Lintian
Fix Released
Unknown
lintian (Ubuntu)
Undecided
Unassigned

Bug Description

An "unimportant" security vulnerabilities have been found in Lintian.

In short, using crafted packages an attacker could have Lintian leak
information about the "host" system provided the raw log is available.

Fixes available in 2.5.10.5 and 2.5.12.

(Reference: http://bugs.debian.org/705553)

CVE References

information type: Private Security → Public Security
Niels Thykier (niels-thykier) wrote :

Attached is a tarball containing a set of patches for fixing this in 2.5.6.

For Lintian 2.5.10.X, the patches can be pulled from upstream's git repository via:
  git show 2.5.10.4..2.5.10.5

For Lintian 2.5.11:
  git show a5680cc4f7ca733f83a16c9bff0e0fa10525c46e..751dee4653e5960ca03f3164c15bb849a85fc976

For Lintian 2.4.3:
  git show 8a6f1682051c39ecc0088acb194ea7754b23a553..ddd524862684bbbc3b6c045b400dd7e5767c5935

~Niels

Changed in lintian:
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (17.2 KiB)

This bug was fixed in the package lintian - 2.5.12ubuntu1

---------------
lintian (2.5.12ubuntu1) saucy; urgency=low

  * Sync from Debian experimental and drop all previous Ubuntu changes,
    applied upstream. (LP: #1173896)
    - Fixes CVE-2013-1429: path traversal/information disclosure.
      (LP: #1169636)
  * Cherry-pick from upstream:
    - vendors/ubuntu/main/data/changes-file/known-dists:
      + [NT] Add "saucy" as known Ubuntu distribution. Thanks to
        Iain Lane for the report.

lintian (2.5.12) experimental; urgency=medium

  * Summary of tag changes:
    + Added:
      - ambiguous-paragraph-in-dep5-copyright
      - binary-file-built-without-LFS-support
      - debian-tests-control-is-not-a-regular-file
      - debian-tests-control-uses-national-encoding
      - debug-file-with-no-debug-symbols
      - desktop-entry-lacks-keywords-entry
      - dir-or-file-in-build-tree
      - dir-or-file-in-etc-opt
      - dir-or-file-in-home
      - file-name-is-not-valid-UTF-8
      - font-adobe-copyrighted-fragment-no-credit
      - font-package-not-multi-arch-foreign
      - illegal-runtime-test-name
      - inconsistent-testsuite-field
      - license-problem-gfdl-invariants
      - license-problem-gfdl-invariants-empty
      - menu-icon-uses-relative-path
      - missing-runtime-test-file
      - missing-runtime-tests-field
      - package-contains-broken-symlink-wildcard
      - package-contains-unsafe-symlink
      - runtime-test-file-is-not-a-regular-file
      - source-contains-unsafe-symlink
      - unknown-runtime-tests-feature
      - unknown-runtime-tests-field
      - unknown-runtime-tests-restriction
      - unknown-testsuite
      - vcs-field-bitrotted
      - vcs-git-uses-invalid-user-uri
      - zip-parse-error
    + Removed:
      - unneeded-build-dep-on-quilt

  * checks/*:
    + [NT] Avoid following unsafe symlinks. (CVE-2013-1429)
  * checks/binaries{,.desc}:
    + [NT] Accept libx32 as a bi-arch directory.
    + [NT] Correct reference policy reference. Thanks to
      Samuel Bronson for the correction. (Closes: #698234)
    + [NT] Detect debug ELF binaries with no debug symbols.
      Thanks to Nelson A. de Oliveira for the report.
      (Closes: #668437)
    + [NT] Check for binaries built without LFS. This can
      only be checked for 32bit binaries as 64bit binaries
      have LFS by definition. Thanks to Guillem Jover for
      the report and patches. (Closes: #670963)
    + [NT] Apply patch from Samuel Bronson to bump severity
      (but decrease certainty) of the "not linked against
      libc" tags. (Closes: #698720)
  * checks/copyright:
    + [NT] Apply patch from Evgeni Golov to avoid false
      positive tag when the MPL-2.0 license appears in the
      copyright file. (See #626454)
  * checks/cruft{,.desc}:
    + [NT] Do not emit the license-problem-json-evil tag for
      non-free packages.
    + [NT] Apply patch from Bastien Roucariès to catch GFDL
      licenses with invariants (etc.). (Closes: #695967)
    + [NT] Correct description of an autotools tag. Thanks
      to Alberto Garcia and Timo Juhani Lindfors for the
      report and patch. (Closes: #703490)
    + [NT] Check for unsafe...

Changed in lintian (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.