Bug#598421: CVE-2010-3377 -- security problem in a few files
Adam C Powell IV
hazelsct at debian.org
Wed Oct 13 16:07:36 UTC 2010
On Wed, 2010-10-13 at 17:40 +0200, Andre Espaze wrote:
> Hello Adam,
> >
> > There's a security bug in the Debian package for salome due to insecure
> > handling of LD_LIBRARY_PATH in a couple of places, bug 598421.
> >
> > To fix it, I've patched my runSalome script (this does not affect
> > upstream runSalome), and several upstream files, and pushed the fixes to
> > the alioth repository.
> >
> > Can you please forward upstream the *-secure-library-path.patch files
> > (*=gui, med, yacs)? Please mention that it fixes Common Vulnerabilities
> > and Exposures issue ID CVE-2010-3377 , as mentioned in the patches.
> Ok, I plan to submit them with the report on the 5.1.4 version. In case
> it is more urgent, just let me know.
Thanks. It's not really urgent for Debian because the package is only
in unstable, and this bug is fixed in alioth. As for upstream, it's a
locally-exploitable problem, i.e. a user can use it for privilege
escalation, so it's somewhat more important than the other patches.
Hopefully my current running build will work and I can upload 5.1.3-11
with this fix today, along with fixes for 15 other bugs (!)...
-Adam
--
GPG fingerprint: D54D 1AEE B11C CE9B A02B C5DD 526F 01E8 564E E4B6
Engineering consulting with open source tools
http://www.opennovation.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/debian-science-maintainers/attachments/20101013/9d39002a/attachment.pgp>
More information about the debian-science-maintainers
mailing list