CVE-2010-3385: insecure library loading

Bug #660923 reported by Micah Gersten on 2010-10-15
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tuxguitar (Ubuntu)
Low
Micah Gersten
Lucid
Low
Unassigned
Maverick
Low
Unassigned

Bug Description

Binary package hint: tuxguitar

Originally from Debian #598307

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/tuxguitar line 129:
        export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$MOZILLA_FIVE_HOME"

Micah Gersten (micahg) wrote :

I have the natty merge ready, just want to verify changelog before uploading.

Changed in tuxguitar (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
status: New → In Progress
Micah Gersten (micahg) wrote :
Micah Gersten (micahg) wrote :

Sorry, first debdiff had the merge changelog in it.

visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.2-7ubuntu1

---------------
tuxguitar (1.2-7ubuntu1) natty; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - debian/patches/03-CVE-2010-3385.patch: Use shell expansion when setting
      LD_LIBRARY_PATH. Patch from Debian version 1.2-7
    - CVE-2010-3385
  * Merge from debian unstable. Remaining changes:
    - add debian/patches/xulrunner-1.9.2.patch
      + misc/tuxguitar.sh: update to use xulrunner-1.9.2
    - debian/control: Update depends to xulrunner-1.9.2

tuxguitar (1.2-7) unstable; urgency=medium

  * Apply patch for CVE-2010-3385 (Closes: #598307)
    Thanks to Etienne Millon
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 22:37:06 -0500

Changed in tuxguitar (Ubuntu):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur) wrote :

ACK on the Lucid and Maverick debdiffs.

Changed in tuxguitar (Ubuntu Lucid):
status: New → Fix Committed
Changed in tuxguitar (Ubuntu Maverick):
status: New → Fix Committed
importance: Undecided → Low
Changed in tuxguitar (Ubuntu Lucid):
importance: Undecided → Low
Marc Deslauriers (mdeslaur) wrote :

Lucid and Maverick packages have been uploaded for building, and will be released soon.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.2-6ubuntu1.1

---------------
tuxguitar (1.2-6ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - debian/patches/03-CVE-2010-3385.patch: Use shell expansion when setting
      LD_LIBRARY_PATH. Patch from Debian. Thanks to Etienne Millon.
    - CVE-2010-3385
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 23:13:31 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.1-1ubuntu4.1

---------------
tuxguitar (1.1-1ubuntu4.1) lucid-security; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - misc/tuxguitar.sh: Use shell expansion when settingLD_LIBRARY_PATH.
      Based on patch in Debian version 1.2-7. Thanks to Etienne Millon.
    - CVE-2010-3385
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 23:09:45 -0500

Changed in tuxguitar (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tuxguitar (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers