Debian Bug report logs -
#605096
CVE-2010-4005
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 27 Nov 2010 12:15:04 UTC
Severity: grave
Tags: security
Found in versions tomboy/1.2.2-1, tomboy/0.10.2-1
Fixed in version tomboy/1.2.2-2
Done: Iain Lane <laney@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#605096; Package tomboy.
(Sat, 27 Nov 2010 12:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>.
(Sat, 27 Nov 2010 12:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomboy
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4005
for details and a patch. Please fix this for Squeeze with a targeted
bugfix, not by packaging a full new upstream release.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages tomboy depends on:
ii gconf2 2.28.1-6 GNOME configuration database syste
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
pn libgconf2.0-cil <none> (no description available)
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
pn libglib2.0-cil <none> (no description available)
pn libgmime2.2-cil <none> (no description available)
pn libgnome2.0-cil <none> (no description available)
pn libgnomeprint2.2-0 <none> (no description available)
pn libgnomeprintui2.2-0 <none> (no description available)
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
pn libgtk2.0-cil <none> (no description available)
ii libgtkspell0 2.0.16-1 a spell-checking addon for GTK's T
pn libmono-addins-gui0.2-cil <none> (no description available)
pn libmono-addins0.2-cil <none> (no description available)
pn libmono-corlib2.0-cil <none> (no description available)
pn libmono-system2.0-cil <none> (no description available)
pn libmono2.0-cil <none> (no description available)
pn libndesk-dbus-glib1.0-cil <none> (no description available)
pn libndesk-dbus1.0-cil <none> (no description available)
pn libpanel-applet2-0 <none> (no description available)
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libx11-6 2:1.3.3-4 X11 client-side library
pn mono-runtime <none> (no description available)
tomboy recommends no packages.
Versions of packages tomboy suggests:
pn evolution <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#605096; Package tomboy.
(Mon, 29 Nov 2010 13:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Iain Lane <laney@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>.
(Mon, 29 Nov 2010 13:06:03 GMT) (full text, mbox, link).
Message #10 received at 605096@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 605096 + pending
affects 605096 1.2.2-1
affects 605096 0.10.2-1
thanks
Hi,
On Sat, Nov 27, 2010 at 01:10:55PM +0100, Moritz Muehlenhoff wrote:
>Package: tomboy
>Severity: grave
>Tags: security
>
>
>Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4005
>for details and a patch. Please fix this for Squeeze with a targeted
>bugfix, not by packaging a full new upstream release.
Thanks, prepared for sid/squeeze in git. Attached a diff.gz/dsc for
lenny. Is this OK to upload?
Regards,
Iain
[tomboy_0.10.2-1+lenny1.diff.gz (application/octet-stream, attachment)]
[tomboy_0.10.2-1+lenny1.dsc (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 13:06:06 GMT) (full text, mbox, link).
Added indication that 605096 affects 1.2.2-1
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 13:06:07 GMT) (full text, mbox, link).
Removed indication that 605096 affects 1.2.2-1
Added indication that 605096 affects 0.10.2-1
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 13:06:08 GMT) (full text, mbox, link).
Bug Marked as found in versions tomboy/1.2.2-1.
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 14:15:02 GMT) (full text, mbox, link).
Bug Marked as found in versions tomboy/0.10.2-1.
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 14:15:03 GMT) (full text, mbox, link).
Removed indication that 605096 affects 0.10.2-1
Added indication that 605096 affects tomboy
Request was from Iain Lane <laney@ubuntu.com>
to control@bugs.debian.org.
(Mon, 29 Nov 2010 14:15:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#605096; Package tomboy.
(Mon, 29 Nov 2010 18:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>.
(Mon, 29 Nov 2010 18:42:07 GMT) (full text, mbox, link).
Message #27 received at 605096@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 29, 2010 at 01:03:31PM +0000, Iain Lane wrote:
> tags 605096 + pending
> affects 605096 1.2.2-1
> affects 605096 0.10.2-1
> thanks
>
> Hi,
>
> On Sat, Nov 27, 2010 at 01:10:55PM +0100, Moritz Muehlenhoff wrote:
> >Package: tomboy
> >Severity: grave
> >Tags: security
> >
> >
> >Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4005
> >for details and a patch. Please fix this for Squeeze with a targeted
> >bugfix, not by packaging a full new upstream release.
>
> Thanks, prepared for sid/squeeze in git. Attached a diff.gz/dsc for
> lenny. Is this OK to upload?
The impact doesn't warrant a DSA. Please fix this through a stable
point update instead:
http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Thanks
Moritz
Reply sent
to Iain Lane <laney@ubuntu.com>:
You have taken responsibility.
(Tue, 30 Nov 2010 14:33:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Nov 2010 14:33:10 GMT) (full text, mbox, link).
Message #32 received at 605096-close@bugs.debian.org (full text, mbox, reply):
Source: tomboy
Source-Version: 1.2.2-2
We believe that the bug you reported is fixed in the latest version of
tomboy, which is due to be installed in the Debian FTP archive:
tomboy_1.2.2-2.diff.gz
to main/t/tomboy/tomboy_1.2.2-2.diff.gz
tomboy_1.2.2-2.dsc
to main/t/tomboy/tomboy_1.2.2-2.dsc
tomboy_1.2.2-2_amd64.deb
to main/t/tomboy/tomboy_1.2.2-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Iain Lane <laney@ubuntu.com> (supplier of updated tomboy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 Nov 2010 18:59:02 +0000
Source: tomboy
Binary: tomboy
Architecture: source amd64
Version: 1.2.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>
Changed-By: Iain Lane <laney@ubuntu.com>
Description:
tomboy - desktop note taking program using Wiki style links
Closes: 605096
Changes:
tomboy (1.2.2-2) unstable; urgency=high
.
* [bc0695b] Fix insecure LD_LIBRARY_PATH. A vulnerability existed
where if LD_LIBRARY_PATH were set but empty, a trailing : as a path
separator would still be appended to the path, exposing an
insecure/invalid search path. Using :+: instead of +: prevents this
as ${X:+:$X} returns X iff X is set and not empty whereas ${X+:$X}
returns X iff X is set (it may be empty). References: CVE-2010-4005
(Closes: #605096)
Checksums-Sha1:
a78cfda4f7fa09c340d45080a676ef7d5f2a3b70 2075 tomboy_1.2.2-2.dsc
036e581a38848d49f9deb899568c4881910fdfea 79713 tomboy_1.2.2-2.diff.gz
c63010213e29d49bf144f7a0f93a7ff7ba828f7b 4345868 tomboy_1.2.2-2_amd64.deb
Checksums-Sha256:
f65256d1f8b6de74fb43a2a63b837777006a48a6c6df6697c7dd6a51f0876a52 2075 tomboy_1.2.2-2.dsc
e2ffb32f2819d37e9d850cc20660c897c15de181e3d7cd88c32430cc8b2add72 79713 tomboy_1.2.2-2.diff.gz
444cc3349d2298dc16f92220aeb91719e1566a5b52e0c8568c7b97851a13d4fd 4345868 tomboy_1.2.2-2_amd64.deb
Files:
52f5917d5faef062807dbd43cc21aac2 2075 gnome optional tomboy_1.2.2-2.dsc
5494f07699b0b09e728e07c22fe9e182 79713 gnome optional tomboy_1.2.2-2.diff.gz
6f5c258618171ad3465b0c1662534e99 4345868 gnome optional tomboy_1.2.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJM9QAXAAoJEMkPnLkOH60MlTsH/2jq5BrMANNrDtC/ijOTAzYN
XbofcvfSyacxFktKlzHeTQFVotFdXlHlyfdKbnLn7WZJgXMd9mSFJlhLcVBomEAq
MegVqQ+20gYhxUhj5m4HLG0HN+9IHklK3s0bHFFFM0jtUpo9kAbJIrIj9xZAcTe3
YrfDZ4cpNEjN8vmAUQNenvCA7t/px/YMpFjLZzfPfDVL6NBaFyz+p+xRwzBZLXJw
dup7c9M6wOhPoDPpCaG5NUxd8T6AM9Eouf420kJh4AIfBke+Ep1+a3BNqwQcDSPZ
tFpjCqLzRq/mfCFGJfVTo1M1nvtrmWiBn62DLsS7F+KKC9sYQoS2GCnq/U8XnJU=
=WhnN
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#605096; Package tomboy.
(Tue, 30 Nov 2010 20:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Iain Lane <laney@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>.
(Tue, 30 Nov 2010 20:18:03 GMT) (full text, mbox, link).
Message #37 received at 605096@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
[ccing -cli too for information]
On Mon, Nov 29, 2010 at 07:38:41PM +0100, Moritz Muehlenhoff wrote:
>On Mon, Nov 29, 2010 at 01:03:31PM +0000, Iain Lane wrote:
>> tags 605096 + pending
>> affects 605096 1.2.2-1
>> affects 605096 0.10.2-1
>> thanks
>>
>> Hi,
>>
>> On Sat, Nov 27, 2010 at 01:10:55PM +0100, Moritz Muehlenhoff wrote:
>> >Package: tomboy
>> >Severity: grave
>> >Tags: security
>> >
>> >
>> >Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4005
>> >for details and a patch. Please fix this for Squeeze with a targeted
>> >bugfix, not by packaging a full new upstream release.
>>
>> Thanks, prepared for sid/squeeze in git. Attached a diff.gz/dsc for
>> lenny. Is this OK to upload?
>
>The impact doesn't warrant a DSA. Please fix this through a stable
>point update instead:
>http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
OK. @d-release SRMs, would you accept a stable update for tomboy (and
then assumedly banshee which suffers from the same problem in unstable
[not checked stable yet])?
debdiff attached.
Regards,
Iain
[tomboy_0-10.2-1+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#605096; Package tomboy.
(Sat, 18 Dec 2010 14:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>.
(Sat, 18 Dec 2010 14:00:06 GMT) (full text, mbox, link).
Message #42 received at 605096@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Nov 30, 2010 at 20:15:10 +0000, Iain Lane wrote:
> OK. @d-release SRMs, would you accept a stable update for tomboy (and
> then assumedly banshee which suffers from the same problem in unstable
> [not checked stable yet])?
>
Yes.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 10:28:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:50:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon