Ubuntu
tuxguitar package

CVE-2010-3385: insecure library loading

Bug #660923 reported by Micah Gersten
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tuxguitar (Ubuntu)
Fix Released
Low
Micah Gersten
Lucid
Fix Released
Low
Unassigned
Maverick
Fix Released
Low
Unassigned

Bug Description

Binary package hint: tuxguitar

Originally from Debian #598307

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/tuxguitar line 129:
        export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$MOZILLA_FIVE_HOME"

Revision history for this message
Micah Gersten (micahg) wrote :

I have the natty merge ready, just want to verify changelog before uploading.

Changed in tuxguitar (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Low
status: New → In Progress
Revision history for this message
Micah Gersten (micahg) wrote :
Revision history for this message
Micah Gersten (micahg) wrote :

Sorry, first debdiff had the merge changelog in it.

Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.2-7ubuntu1

---------------
tuxguitar (1.2-7ubuntu1) natty; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - debian/patches/03-CVE-2010-3385.patch: Use shell expansion when setting
      LD_LIBRARY_PATH. Patch from Debian version 1.2-7
    - CVE-2010-3385
  * Merge from debian unstable. Remaining changes:
    - add debian/patches/xulrunner-1.9.2.patch
      + misc/tuxguitar.sh: update to use xulrunner-1.9.2
    - debian/control: Update depends to xulrunner-1.9.2

tuxguitar (1.2-7) unstable; urgency=medium

  * Apply patch for CVE-2010-3385 (Closes: #598307)
    Thanks to Etienne Millon
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 22:37:06 -0500

Changed in tuxguitar (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the Lucid and Maverick debdiffs.

Changed in tuxguitar (Ubuntu Lucid):
status: New → Fix Committed
Changed in tuxguitar (Ubuntu Maverick):
status: New → Fix Committed
importance: Undecided → Low
Changed in tuxguitar (Ubuntu Lucid):
importance: Undecided → Low
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Lucid and Maverick packages have been uploaded for building, and will be released soon.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.2-6ubuntu1.1

---------------
tuxguitar (1.2-6ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - debian/patches/03-CVE-2010-3385.patch: Use shell expansion when setting
      LD_LIBRARY_PATH. Patch from Debian. Thanks to Etienne Millon.
    - CVE-2010-3385
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 23:13:31 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tuxguitar - 1.1-1ubuntu4.1

---------------
tuxguitar (1.1-1ubuntu4.1) lucid-security; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #660923)
    - misc/tuxguitar.sh: Use shell expansion when settingLD_LIBRARY_PATH.
      Based on patch in Debian version 1.2-7. Thanks to Etienne Millon.
    - CVE-2010-3385
 -- Micah Gersten <email address hidden> Thu, 14 Oct 2010 23:09:45 -0500

Changed in tuxguitar (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in tuxguitar (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.