[Pkg-cli-apps-commits] [SCM] Tomboy - desktop note taking program using Wiki style links branch, master, updated. debian/1.2.2-1-1-gfbe1c22

Iain Lane laney at ubuntu.com
Mon Nov 29 12:04:52 UTC 2010 

The following commit has been merged in the master branch:
commit fbe1c22233401dd44e9946c75f6b39bd688a11c6
Author: Iain Lane <laney at ubuntu.com>
Date:   Mon Nov 29 11:41:07 2010 +0000

    Fix insecure LD_LIBRARY_PATH
    
    A vulnerability existed where if LD_LIBRARY_PATH were set but empty, a
    trailing : as a path separator would still be appended to the path,
    exposing an insecure/invalid search path. GST_PLUGINS_PATH was
    similarly vulnerable.
    
    Using :+: instead of +: prevents this as ${X:+:$X} returns X iff X is
    set and not empty whereas ${X+:$X} returns X iff X is set (it may be
    empty).
    
    References: CVE-2010-4005
    
    Closes: #605096

diff --git a/debian/patches/00_LD_LIBRARY_PATH_CVE-2010-4005 b/debian/patches/00_LD_LIBRARY_PATH_CVE-2010-4005
new file mode 100644
index 0000000..546ee84
--- /dev/null
+++ b/debian/patches/00_LD_LIBRARY_PATH_CVE-2010-4005
@@ -0,0 +1,39 @@
+Description: Fix unsafe LD_LIBRARY_PATH setting (CVE-2010-4005)
+Author: Luis Medinas <lmedinas at gnome.org>
+Origin: https://bugzilla.gnome.org/show_bug.cgi?id=635614
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605096
+Bug-Upstream: https://bugzilla.gnome.org/show_bug.cgi?id=635614
+Forwarded: not-needed
+
+Index: tomboy.git/Tomboy/tomboy.in
+===================================================================
+--- tomboy.git.orig/Tomboy/tomboy.in	2010-11-29 01:10:11.170557627 +0000
++++ tomboy.git/Tomboy/tomboy.in	2010-11-29 01:09:46.128629088 +0000
+@@ -3,13 +3,13 @@
+ if [ "x$PWD" = "x at srcdir@" ] ; then
+     echo "*** Running uninstalled @target@ ***"
+ 
+-    export LD_LIBRARY_PATH="../libtomboy/.libs${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:./Addins/PrintNotes/.libs"
++    export LD_LIBRARY_PATH="../libtomboy/.libs${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}:./Addins/PrintNotes/.libs"
+     export TOMBOY_WRAPPER_PATH="$PWD/@wrapper@"
+     export MONO_PATH=$MONO_PATH:./Addins:../Mono.Addins/Mono.Addins:../Mono.Addins/Mono.Addins.Setup:../Mono.Addins/Mono.Addins.Gui
+ 
+     THIS_EXE="--debug ./@target@"
+ else
+-    export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++    export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+     export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+     export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+ 
+Index: tomboy.git/Tomboy/tomboy-panel.in
+===================================================================
+--- tomboy.git.orig/Tomboy/tomboy-panel.in	2010-11-29 01:10:10.770526817 +0000
++++ tomboy.git/Tomboy/tomboy-panel.in	2010-11-29 01:10:00.929768958 +0000
+@@ -1,6 +1,6 @@
+ #!/usr/bin/env bash
+ 
+-export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
++export LD_LIBRARY_PATH="@pkglibdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+ export MONO_PATH=$MONO_PATH:@pkglibdir@:@pkglibdir@/addins
+ export TOMBOY_WRAPPER_PATH="@bindir@/@wrapper@"
+ TOMBOY_CONFIG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/tomboy"
diff --git a/debian/patches/series b/debian/patches/series
index 58102f6..e77b700 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+00_LD_LIBRARY_PATH_CVE-2010-4005
 01_dllmaps.patch
 10_disable_unit_tests
 20_remove_pcfile_requires

-- 
Tomboy - desktop note taking program using Wiki style links

More information about the Pkg-cli-apps-commits mailing list