[Bug 897525] Re: Security Vulnerability Ember 0.5.7

Marc Deslauriers marc.deslauriers at canonical.com
Wed Nov 30 13:21:35 UTC 2011


Thanks for the debdiff, but there are a few problems with it:

1- The ember package doesn't exist in Oneiric, yet you seem to be applying a patch to that as per the debian/changelog file
2- Your debian/changelog entry doesn't contain a proper description of the issue, and the change the patch is accomplishing. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for some examples.
3- The patch itself does not contain proper tags, see http://dep.debian.net/deps/dep3/ for help on the proper tags that need to be added
4- The patch seems to contain modifications to debian/changelog. That shouldn't be done in a patch, but directly in the file.

I am unsubscribing ubuntu-security-sponsors for now. Once you have
uploaded a correct debdiff, please resubscribe ubuntu-security-sponsors
so it can get looked at. Thanks!


** Changed in: ember (Ubuntu)
       Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/897525

Title:
  Security Vulnerability Ember 0.5.7

Status in “ember” package in Ubuntu:
  Incomplete

Bug description:
  Ember 0.5.7 places a zero-length directory name in the
  LD_LIBRARY_PATH, which allows local users to gain privileges via a
  Trojan horse shared library in the current working directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ember/+bug/897525/+subscriptions



More information about the Ubuntu-sponsors mailing list