Package: tau / 2.17.3.1.dfsg-4

Metadata

Package Version Patches format
tau 2.17.3.1.dfsg-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Error checking in build procedure.patch | (download)

Makefile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] error-checking in build procedure


0002 Makefile fixes to support use of VPATH.patch | (download)

src/Profile/Makefile | 102 51 + 51 - 0 !
src/TraceInput/Makefile | 6 3 + 3 - 0 !
2 files changed, 54 insertions(+), 54 deletions(-)

 [patch] makefile fixes to support use of vpath.


0003 Force use of fPIC.patch | (download)

src/Profile/Makefile | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] force use of -fpic.


0004 Avoid LD_LIBRARY_PATH vulnerability CVE 2010 3382.patch | (download)

tools/src/tauex | 4 2 + 2 - 0 !
utils/slogconverter/tau2slog2.skel | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 [patch] avoid ld_library_path vulnerability cve-2010-3382.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3382
http://security-tracker.debian.org/tracker/CVE-2010-3382
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303

Raphael Geissert have found that this package contains a script that
can be abused by an attacker to execute arbitrary code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/tauex line 197:
export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Patch by Julien Cristau <jcristau@debian.org>, adjusted for current
version and extended to tau2slog2 script.

0005 Fix symlink vulnerability CVE 2008 5157.patch | (download)

tools/src/tau_cc.sh | 13 7 + 6 - 0 !
tools/src/tau_cxx.sh | 13 7 + 6 - 0 !
tools/src/tau_f90.sh | 20 7 + 13 - 0 !
tools/src/taucc | 13 7 + 6 - 0 !
tools/src/taucxx | 13 7 + 6 - 0 !
tools/src/tauf90 | 13 7 + 6 - 0 !
6 files changed, 42 insertions(+), 43 deletions(-)

 [patch] fix symlink vulnerability cve-2008-5157

Patch from Anibal Monsalve Salazar <anibal@debian.org>, adjusted for
current version.

0006 Do not use liberty in include Makefile.patch | (download)

include/Makefile | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] do not use -liberty in include/makefile


0007 Build fixes.patch | (download)

src/Profile/Comp_xl.cpp | 1 1 + 0 - 0 !
src/Profile/PthreadLayer.cpp | 2 2 + 0 - 0 !
2 files changed, 3 insertions(+)

 [patch] build fixes


0008 Replace echo e bashism with printf.patch | (download)

tools/src/perfexplorer/bin/Makefile.skel | 2 1 + 1 - 0 !
tools/src/tau_cc.sh | 20 10 + 10 - 0 !
tools/src/tau_compiler.sh | 106 53 + 53 - 0 !
tools/src/tau_cxx.sh | 20 10 + 10 - 0 !
tools/src/tau_f90.sh | 20 10 + 10 - 0 !
5 files changed, 84 insertions(+), 84 deletions(-)

 [patch] replace 'echo -e' bashism with 'printf'


0009 Use bash for script using pushd popd.patch | (download)

examples/bsp_bench/submitbgl.sh | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] use bash for script using pushd/popd


0010 Avoid bashism.patch | (download)

utils/archfind | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] avoid "&>" bashism