Debian Bug report logs -
#594414
CVE-2010-2945: insecure PATH assignment
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 25 Aug 2010 20:03:02 UTC
Severity: grave
Tags: security
Fixed in version slim/1.3.1-7
Done: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Wed, 25 Aug 2010 20:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Wed, 25 Aug 2010 20:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: slim
Severity: grave
Tags: security
The following was reported to oss-security:
--
SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included './'. This allowed unintentional code execution (e.g.
planted binary) and has been fixed by the developers in version 1.3.2.
Fix:
http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
--
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages slim depends on:
ii debconf [debconf-2.0] 1.5.35 Debian configuration management sy
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.4-9 GCC support library
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-3 X11 client-side library
ii libxft2 2.1.14-2 FreeType-based font drawing librar
ii libxmu6 2:1.0.5-1 X11 miscellaneous utility library
slim recommends no packages.
Versions of packages slim suggests:
pn scrot <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Wed, 25 Aug 2010 23:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Wed, 25 Aug 2010 23:24:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
tags 594414 lenny
thanks
Hi,
Thanks for your report.
On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> Package: slim
> Severity: grave
> Tags: security
>
> The following was reported to oss-security:
>
> --
>
> SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> which included './'. This allowed unintentional code execution (e.g.
> planted binary) and has been fixed by the developers in version 1.3.2.
>
> Fix:
> http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
slim has this problem only lenny.
I'll fix soon.
Best regards,
Nobuhiro
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Wed, 25 Aug 2010 23:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Wed, 25 Aug 2010 23:24:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Wed, 25 Aug 2010 23:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Wed, 25 Aug 2010 23:57:03 GMT) (full text, mbox, link).
Message #20 received at submit@bugs.debian.org (full text, mbox, reply):
On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
> tags 594414 lenny
> thanks
>
> Hi,
>
> Thanks for your report.
>
> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> > Package: slim
> > Severity: grave
> > Tags: security
> >
> > The following was reported to oss-security:
> >
> > --
> >
> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> > which included './'. This allowed unintentional code execution (e.g.
> > planted binary) and has been fixed by the developers in version 1.3.2.
> >
> > Fix:
> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
>
> slim has this problem only lenny.
Oh, I misunderstand. All distribution has this.
> I'll fix soon.
Best regards,
Nobuhiro
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Wed, 25 Aug 2010 23:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Wed, 25 Aug 2010 23:57:05 GMT) (full text, mbox, link).
Reply sent
to Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
You have taken responsibility.
(Thu, 26 Aug 2010 04:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Thu, 26 Aug 2010 04:51:09 GMT) (full text, mbox, link).
Message #30 received at 594414-close@bugs.debian.org (full text, mbox, reply):
Source: slim
Source-Version: 1.3.1-7
We believe that the bug you reported is fixed in the latest version of
slim, which is due to be installed in the Debian FTP archive:
slim_1.3.1-7.diff.gz
to main/s/slim/slim_1.3.1-7.diff.gz
slim_1.3.1-7.dsc
to main/s/slim/slim_1.3.1-7.dsc
slim_1.3.1-7_amd64.deb
to main/s/slim/slim_1.3.1-7_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 594414@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <iwamatsu@debian.org> (supplier of updated slim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 26 Aug 2010 12:40:13 +0900
Source: slim
Binary: slim
Architecture: source amd64
Version: 1.3.1-7
Distribution: unstable
Urgency: high
Maintainer: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Changed-By: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Description:
slim - desktop-independent graphical login manager for X11
Closes: 586593 594414
Changes:
slim (1.3.1-7) unstable; urgency=high
.
* Update debian/control.
- Bump up Standards-Version to 3.9.1.
* Fix show black screen on On kfreebsd (Closes: #586593).
debian/patches/fix-black-screen.patch
* Fix CVE-2010-2945: insecure PATH assignment (Closes: #594414).
debian/patches/insecure_PATH_assignment.patch
Checksums-Sha1:
82ef5b635019cf893c6b54cbabb6ec7a0859c465 1116 slim_1.3.1-7.dsc
01f430bcc830eefdee54d13e950ed616661b8f29 666173 slim_1.3.1-7.diff.gz
64e807c96b94eec44691b14d732332989238b319 815724 slim_1.3.1-7_amd64.deb
Checksums-Sha256:
bb405a8d11e7cb99a8bc8530d41a43f87affef39e4c5e42905f8e7f20aef0244 1116 slim_1.3.1-7.dsc
08cb4864fff654eca0a0d430eca4b96ffb48d91cba0300057274e178de4f4403 666173 slim_1.3.1-7.diff.gz
0857ec9b777960935d0102996d531b3c5778b6cbccd8157cdb0991bf2b2eceff 815724 slim_1.3.1-7_amd64.deb
Files:
b275ff3db0ca6fef8ed687e908899c28 1116 x11 optional slim_1.3.1-7.dsc
b458957b7f41411d3449dae8341de536 666173 x11 optional slim_1.3.1-7.diff.gz
2b1edaaf44fdd3b123523c3a815a1466 815724 x11 optional slim_1.3.1-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx18DgACgkQQSHHQzFw6+lj+ACgpYI0aY3FSca+lJDhqkiTHiDe
KN8AnjkuwH5K6BIluPptzfHHRuZPVNWe
=zWfI
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Thu, 26 Aug 2010 16:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Thu, 26 Aug 2010 16:27:05 GMT) (full text, mbox, link).
Message #35 received at 594414@bugs.debian.org (full text, mbox, reply):
On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
> tags 594414 lenny
> thanks
>
> Hi,
>
> Thanks for your report.
>
> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
> > Package: slim
> > Severity: grave
> > Tags: security
> >
> > The following was reported to oss-security:
> >
> > --
> >
> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
> > which included './'. This allowed unintentional code execution (e.g.
> > planted binary) and has been fixed by the developers in version 1.3.2.
> >
> > Fix:
> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
>
> slim has this problem only lenny.
> I'll fix soon.
The impact seems rather low, I don't think we need a DSA for this?
Could you fix this through a stable point update, please?
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Thu, 26 Aug 2010 23:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Thu, 26 Aug 2010 23:57:08 GMT) (full text, mbox, link).
Message #40 received at 594414@bugs.debian.org (full text, mbox, reply):
Hi,
2010/8/27 Moritz Muehlenhoff <jmm@inutil.org>:
> On Thu, Aug 26, 2010 at 08:21:42AM +0900, Nobuhiro Iwamatsu wrote:
>> tags 594414 lenny
>> thanks
>>
>> Hi,
>>
>> Thanks for your report.
>>
>> On Wed, Aug 25, 2010 at 09:58:56PM +0200, Moritz Muehlenhoff wrote:
>> > Package: slim
>> > Severity: grave
>> > Tags: security
>> >
>> > The following was reported to oss-security:
>> >
>> > --
>> >
>> > SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
>> > which included './'. This allowed unintentional code execution (e.g.
>> > planted binary) and has been fixed by the developers in version 1.3.2.
>> >
>> > Fix:
>> > http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171
>>
>> slim has this problem only lenny.
>> I'll fix soon.
>
> The impact seems rather low, I don't think we need a DSA for this?
OK. May I think this to be the official answer of the security team?
# Because you are member of security team.
Or I ask them (debian-security-private@lists.debian.org)judgment once?
>
> Could you fix this through a stable point update, please?
> http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Sure. I am going to do this.
Best regards,
Nobuhiro
--
Nobuhiro Iwamatsu
iwamatsu at {nigauri.org / debian.org}
GPG ID: 40AD1FA6
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Fri, 27 Aug 2010 15:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Fri, 27 Aug 2010 15:09:06 GMT) (full text, mbox, link).
Message #45 received at 594414@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear release team,
I prepared an upload to fix a minor security issue[0][1] in slim[2].
Full debdiff is attached.
Could you check this?
Best regards,
Nobuhiro
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2945
[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594414
[2]: http://packages.qa.debian.org/s/slim.html
--
Nobuhiro Iwamatsu / iwamatsu@debian.org
[slim_1.3.0-1+lenny3.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Fri, 27 Aug 2010 17:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Fri, 27 Aug 2010 17:15:09 GMT) (full text, mbox, link).
Message #50 received at 594414@bugs.debian.org (full text, mbox, reply):
On Sat, 2010-08-28 at 00:07 +0900, Nobuhiro Iwamatsu wrote:
> I prepared an upload to fix a minor security issue[0][1] in slim[2].
> Full debdiff is attached.
> Could you check this?
Please go ahead with the upload.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#594414
; Package slim
.
(Fri, 27 Aug 2010 22:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Fri, 27 Aug 2010 22:12:05 GMT) (full text, mbox, link).
Message #55 received at 594414@bugs.debian.org (full text, mbox, reply):
On Fri, Aug 27, 2010 at 08:55:23AM +0900, Nobuhiro Iwamatsu wrote:
> Hi,
>
> > The impact seems rather low, I don't think we need a DSA for this?
>
> OK. May I think this to be the official answer of the security team?
> # Because you are member of security team.
Yes, that should be ok. I'll update the Debian Security Tracker.
> > Could you fix this through a stable point update, please?
> > http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> Sure. I am going to do this.
Thanks, also added to the Debian Security Tracker.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 25 Sep 2010 07:31:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:44:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.