Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ardour-i686: CVE-2010-3349: insecure library loading

Related Vulnerabilities: CVE-2010-3349  

Source

Debian Bug report logs - #598282
ardour-i686: CVE-2010-3349: insecure library loading

version graph

Package: src:ardour; Maintainer for src:ardour is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:01 UTC

Severity: grave

Tags: security

Merged with 598283

Fixed in version ardour/1:2.8.11-2

Done: Adrian Knoth <adi@drcomp.erfurt.thur.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#598282; Package ardour-i686. (Tue, 28 Sep 2010 04:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 04:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: ardour-i686: CVE-2010-3349: insecure library loading
Date: Tue, 28 Sep 2010 04:21:15 +0000
Package: ardour-i686
Version: 1:2.8.11-1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/ardour2 line 5:
export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH 

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3349. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3349
[1] http://security-tracker.debian.org/tracker/CVE-2010-3349

Sincerely,
Raphael Geissert

Bug reassigned from package 'ardour-i686' to 'src:ardour'. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:07 GMT) (full text, mbox, link).

Bug No longer marked as found in versions ardour/1:2.8.11-1. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:08 GMT) (full text, mbox, link).

Forcibly Merged 598282 598283. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:09 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 19:30:04 GMT) (full text, mbox, link).

Reply sent to Adrian Knoth <adi@drcomp.erfurt.thur.de>:
You have taken responsibility. (Wed, 29 Sep 2010 08:33:03 GMT) (full text, mbox, link).

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2010 08:33:04 GMT) (full text, mbox, link).

Message #18 received at 598282-close@bugs.debian.org (full text, mbox, reply):

From: Adrian Knoth <adi@drcomp.erfurt.thur.de>
To: 598282-close@bugs.debian.org
Subject: Bug#598282: fixed in ardour 1:2.8.11-2
Date: Wed, 29 Sep 2010 08:32:18 +0000
Source: ardour
Source-Version: 1:2.8.11-2

We believe that the bug you reported is fixed in the latest version of
ardour, which is due to be installed in the Debian FTP archive:

ardour-i686_2.8.11-2_i386.deb
  to main/a/ardour/ardour-i686_2.8.11-2_i386.deb
ardour_2.8.11-2.debian.tar.gz
  to main/a/ardour/ardour_2.8.11-2.debian.tar.gz
ardour_2.8.11-2.dsc
  to main/a/ardour/ardour_2.8.11-2.dsc
ardour_2.8.11-2_i386.deb
  to main/a/ardour/ardour_2.8.11-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598282@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Knoth <adi@drcomp.erfurt.thur.de> (supplier of updated ardour package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Sep 2010 16:44:12 +0200
Source: ardour
Binary: ardour ardour-altivec ardour-i686
Architecture: source i386
Version: 1:2.8.11-2
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Adrian Knoth <adi@drcomp.erfurt.thur.de>
Description: 
 ardour     - digital audio workstation (graphical gtk2 interface)
 ardour-altivec - digital audio workstation (graphical gtk2 interface) [altivec]
 ardour-i686 - digital audio workstation (graphical gtk2 interface) [i686]
Closes: 598282
Changes: 
 ardour (1:2.8.11-2) unstable; urgency=low
 .
   [ Jonas Smedegaard ]
   * Recommend iceweasel and only fallback on virtual www-browser, and
     drop superfluous fallback on firefox.
   * Refresh patch using shortinging options --no-timestamps --no-index -
     pab.
   * Maintain package relations in rules file.
   * Fix have ardour replace and conflict with itself (as same name is
     used as virtual name for other flavors).
   * Add quirk to recommend firefox (not iceweasel) for Ubuntu.
   * Rewrite copyright file to recent draft DEP5 machine-readable format.
   * Fix add verbatim text for a(nother) Libtool exception in
     debian/copyright.
 .
   [ Adrian Knoth ]
   * Unapply patches after git-buildpackage
   * Fix insecure library loading (Closes: #598282)
 .
   [ Luke Yelavich ]
   * debian/control: Do not explicitly depend on a particular version of
     jackd
Checksums-Sha1: 
 d2f0890b3cbcf95a5de6c8d8fd25fbb9528cfcb4 2592 ardour_2.8.11-2.dsc
 83a0643857fa092b6ce61def92d9190fb19c609c 56968 ardour_2.8.11-2.debian.tar.gz
 a9e2f2ee589ac17930f9ab92708e515b1ff8be3f 5305376 ardour_2.8.11-2_i386.deb
 bdc08058b9ea1547241eb26069ade309b3d93c6c 4921814 ardour-i686_2.8.11-2_i386.deb
Checksums-Sha256: 
 e2155241745955236a35f9248da3b692c81eb471d2a3e823cbb4ec1dfb3d5751 2592 ardour_2.8.11-2.dsc
 527f8a9c3d5c684bf76f1e6746c386b138d95b70a699442e7ac2952bbd7d06e3 56968 ardour_2.8.11-2.debian.tar.gz
 2de45d1dad096765fbcfa13ff02a3d71ff75a2e104920c8f8aac6838df731dec 5305376 ardour_2.8.11-2_i386.deb
 723e06fcd51815a0764b87585f2077b6f4a303d34ffcb7cd0bfe3f5a0f5b1c73 4921814 ardour-i686_2.8.11-2_i386.deb
Files: 
 8f96b21e10e111cfad22022867b41b67 2592 sound optional ardour_2.8.11-2.dsc
 10cad4b9df16445896320aa0909b697a 56968 sound optional ardour_2.8.11-2.debian.tar.gz
 c524ac735ca231fb00aaf059af45386e 5305376 sound optional ardour_2.8.11-2_i386.deb
 bfcf14b5a204392ac23530668ee1ffc5 4921814 sound optional ardour-i686_2.8.11-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMokGaAAoJEI8ytEIvUhB/dCIP/0fzQZEpFZHcJ4OeEoPYO3HT
rCU1+esyqfdCV1zsCq8X6+wP8xQDA6y/62BBNjjDsDOMKhSvqrh7RkJf27+vzRmZ
jEZK0mHevJohnNFkQtugCMWY4WU+apaSQuyoHvwBrDzpP8Pv+M5fLo7SyYNBekdk
GPz/AOrXrh4SvMfzUBdxgrdKAJxg2GsMjlHBjt8jC8C6xLEaGaOIseHiK3FcV8hV
p/tvHZJEou8vn0Df3r9o+lqsjhX2XxTSmNDJgsNHcGvorPcxhdASlg9ldDGD9kTG
dkG9Gx0Q1r7BLETDBfrJWAo4cgUrSWcZiK+Ruh4MQonAvT9yRdwBkZb1R4HNFfV5
FvUNQ0YCy0vKKpedDeBUFBCFpz7++K2StdszYIt2hnXPErBNSg6W5bR+iN1uPeKe
mpy0cXrUlB/31s6F/XhTG57xDjOgFXhFW9cyWxNsUEd8c9tYKRLA+Y2ek3FyfVJO
p9Nt27bsCE6+eEsepZYftGNs8cgIGkoLFMeXt+30i2d/SU11kt8wZQRq96K+Azdc
0BuEzq+X6m5s+h4FF8YEIcqEq02r0kUrfIlIKDfsJNd/uR+PBQVH+PnRf4f1eHW0
VgWwNkNj9nZHA2WT0qZrAfA3A1GOHlqOj0AosqFvpo05VN/UfbFPyoa7NllvnD15
2JpcXwBbk7YevexnzJLD
=IKzd
-----END PGP SIGNATURE-----

Reply sent to Adrian Knoth <adi@drcomp.erfurt.thur.de>:
You have taken responsibility. (Wed, 29 Sep 2010 08:33:04 GMT) (full text, mbox, link).

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Wed, 29 Sep 2010 08:33:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Nov 2010 07:36:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:21:34 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started