CVE-2010-2945: insecure PATH assignment

Debian Bug report logs - #594414
CVE-2010-2945: insecure PATH assignment

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-2945: insecure PATH assignment

Date: Wed, 25 Aug 2010 21:58:56 +0200

Package: slim
Severity: grave
Tags: security

The following was reported to oss-security:

--

SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included './'. This allowed unintentional code execution (e.g.
planted binary) and has been fixed by the developers in version 1.3.2.

Fix:
http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171

--

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages slim depends on:
ii  debconf [debconf-2.0]         1.5.35     Debian configuration management sy
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.4.4-9  GCC support library
ii  libjpeg62                     6b1-1      The Independent JPEG Group's JPEG 
ii  libpam0g                      1.1.1-4    Pluggable Authentication Modules l
ii  libpng12-0                    1.2.44-1   PNG library - runtime
ii  libstdc++6                    4.4.4-9    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.3.3-3  X11 client-side library
ii  libxft2                       2.1.14-2   FreeType-based font drawing librar
ii  libxmu6                       2:1.0.5-1  X11 miscellaneous utility library

slim recommends no packages.

Versions of packages slim suggests:
pn  scrot                         <none>     (no description available)

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#594414: CVE-2010-2945: insecure PATH assignment

Date: Thu, 26 Aug 2010 08:21:42 +0900

tags 594414 lenny 
thanks

Hi,

Thanks for your report.

On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> Package: slim
> Severity: grave
> Tags: security
> 
> The following was reported to oss-security:
> 
> --
> 
> SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> which included './'. This allowed unintentional code execution (e.g.
> planted binary) and has been fixed by the developers in version 1.3.2.
> 
> Fix:
> http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171

slim has this problem only lenny.
I'll fix soon.

Best regards,
  Nobuhiro

Message #20 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#594414: CVE-2010-2945: insecure PATH assignment

Date: Thu, 26 Aug 2010 08:53:26 +0900

On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
> tags 594414 lenny 
> thanks
> 
> Hi,
> 
> Thanks for your report.
> 
> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> > Package: slim
> > Severity: grave
> > Tags: security
> > 
> > The following was reported to oss-security:
> > 
> > --
> > 
> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> > which included './'. This allowed unintentional code execution (e.g.
> > planted binary) and has been fixed by the developers in version 1.3.2.
> > 
> > Fix:
> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
> 
> slim has this problem only lenny.
Oh, I misunderstand. All distribution has this.

> I'll fix soon.

Best regards,
  Nobuhiro

Message #30 received at 594414-close@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@debian.org>

To: 594414-close@bugs.debian.org

Subject: Bug#594414: fixed in slim 1.3.1-7

Date: Thu, 26 Aug 2010 04:47:07 +0000

Source: slim
Source-Version: 1.3.1-7

We believe that the bug you reported is fixed in the latest version of
slim, which is due to be installed in the Debian FTP archive:

slim_1.3.1-7.diff.gz
  to main/s/slim/slim_1.3.1-7.diff.gz
slim_1.3.1-7.dsc
  to main/s/slim/slim_1.3.1-7.dsc
slim_1.3.1-7_amd64.deb
  to main/s/slim/slim_1.3.1-7_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594414@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated slim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Aug 2010 12:40:13 +0900
Source: slim
Binary: slim
Architecture: source amd64
Version: 1.3.1-7
Distribution: unstable
Urgency: high
Maintainer: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description: 
 slim       - desktop-independent graphical login manager for X11
Closes: 586593 594414
Changes: 
 slim (1.3.1-7) unstable; urgency=high
 .
   * Update debian/control.
     - Bump up Standards-Version to 3.9.1.
   * Fix show black screen on On kfreebsd (Closes: #586593).
     debian/patches/fix-black-screen.patch
   * Fix CVE-2010-2945: insecure PATH assignment (Closes: #594414).
     debian/patches/insecure_PATH_assignment.patch
Checksums-Sha1: 
 82ef5b635019cf893c6b54cbabb6ec7a0859c465 1116 slim_1.3.1-7.dsc
 01f430bcc830eefdee54d13e950ed616661b8f29 666173 slim_1.3.1-7.diff.gz
 64e807c96b94eec44691b14d732332989238b319 815724 slim_1.3.1-7_amd64.deb
Checksums-Sha256: 
 bb405a8d11e7cb99a8bc8530d41a43f87affef39e4c5e42905f8e7f20aef0244 1116 slim_1.3.1-7.dsc
 08cb4864fff654eca0a0d430eca4b96ffb48d91cba0300057274e178de4f4403 666173 slim_1.3.1-7.diff.gz
 0857ec9b777960935d0102996d531b3c5778b6cbccd8157cdb0991bf2b2eceff 815724 slim_1.3.1-7_amd64.deb
Files: 
 b275ff3db0ca6fef8ed687e908899c28 1116 x11 optional slim_1.3.1-7.dsc
 b458957b7f41411d3449dae8341de536 666173 x11 optional slim_1.3.1-7.diff.gz
 2b1edaaf44fdd3b123523c3a815a1466 815724 x11 optional slim_1.3.1-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx18DgACgkQQSHHQzFw6+lj+ACgpYI0aY3FSca+lJDhqkiTHiDe
KN8AnjkuwH5K6BIluPptzfHHRuZPVNWe
=zWfI
-----END PGP SIGNATURE-----

Message #35 received at 594414@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Subject: Re: Bug#594414: CVE-2010-2945: insecure PATH assignment

Date: Thu, 26 Aug 2010 18:26:00 +0200

On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
> tags 594414 lenny 
> thanks
> 
> Hi,
> 
> Thanks for your report.
> 
> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> > Package: slim
> > Severity: grave
> > Tags: security
> > 
> > The following was reported to oss-security:
> > 
> > --
> > 
> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> > which included './'. This allowed unintentional code execution (e.g.
> > planted binary) and has been fixed by the developers in version 1.3.2.
> > 
> > Fix:
> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
> 
> slim has this problem only lenny.
> I'll fix soon.

The impact seems rather low, I don't think we need a DSA for this?

Could you fix this through a stable point update, please?
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

Message #40 received at 594414@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Subject: Re: Bug#594414: CVE-2010-2945: insecure PATH assignment

Date: Fri, 27 Aug 2010 08:55:23 +0900

Hi,

2010/8/27 Moritz Muehlenhoff <jmm@inutil.org>:
> On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
>> tags 594414 lenny
>> thanks
>>
>> Hi,
>>
>> Thanks for your report.
>>
>> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
>> > Package: slim
>> > Severity: grave
>> > Tags: security
>> >
>> > The following was reported to oss-security:
>> >
>> > --
>> >
>> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
>> > which included './'. This allowed unintentional code execution (e.g.
>> > planted binary) and has been fixed by the developers in version 1.3.2.
>> >
>> > Fix:
>> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
>>
>> slim has this problem only lenny.
>> I'll fix soon.
>
> The impact seems rather low, I don't think we need a DSA for this?

OK. May I think this to be the official answer of the security team?
# Because you are member of security team.
Or I ask them (debian-security-private@lists.debian.org)judgment once?
>
> Could you fix this through a stable point update, please?
> http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Sure. I am going to do this.

Best regards,
  Nobuhiro

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Message #45 received at 594414@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

To: debian-release@lists.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Subject: stable-proposed-updates: package slim/1.3.0-1+lenny3

Date: Sat, 28 Aug 2010 00:07:26 +0900

[Message part 1 (text/plain, inline)]

Dear release team,

I prepared an upload to fix a minor security issue[0][1] in slim[2].
Full debdiff is attached.
Could you check this?

Best regards,
 Nobuhiro

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2945
[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594414
[2]: http://packages.qa.debian.org/s/slim.html

--
  Nobuhiro Iwamatsu / iwamatsu@debian.org

[slim_1.3.0-1+lenny3.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 594414@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Cc: debian-release@lists.debian.org, Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Subject: Re: stable-proposed-updates: package slim/1.3.0-1+lenny3

Date: Fri, 27 Aug 2010 18:13:09 +0100

On Sat, 2010-08-28 at 00:07 +0900, Nobuhiro Iwamatsu wrote:
> I prepared an upload to fix a minor security issue[0][1] in slim[2].
> Full debdiff is attached.
> Could you check this?

Please go ahead with the upload.

Regards,

Adam

Message #55 received at 594414@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 594414@bugs.debian.org

Subject: Re: Bug#594414: CVE-2010-2945: insecure PATH assignment

Date: Sat, 28 Aug 2010 00:09:05 +0200

On Fri, Aug 27, 2010 at 08:55:23AM +0900, Nobuhiro Iwamatsu wrote:
> Hi,
> 
> > The impact seems rather low, I don't think we need a DSA for this?
> 
> OK. May I think this to be the official answer of the security team?
> # Because you are member of security team.

Yes, that should be ok. I'll update the Debian Security Tracker.

> > Could you fix this through a stable point update, please?
> > http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> Sure. I am going to do this.

Thanks, also added to the Debian Security Tracker.

Cheers,
        Moritz

Send a report that this bug log contains spam.