Report forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#559808; Package gnash.
(Mon, 07 Dec 2009 04:57:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Mon, 07 Dec 2009 04:57:18 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Sun, 6 Dec 2009 23:55:11 -0500
Package: gnash
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736http://security-tracker.debian.org/tracker/CVE-2009-3736
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#559808; Package gnash.
(Sat, 12 Dec 2009 23:09:50 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Sat, 12 Dec 2009 23:09:50 GMT) (full text, mbox, link).
Hi all,
It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem. This is
not a sufficient solution since your package will still use the
embedded libtool code copy. You need to add '--without-included-ltdl'
to your configure arguments to do this right.
A verification, but not really a sufficient proof, is that
'ldd <your binaries>' shows that the system libtool is being used.
On another note, if your package is affected in either stable or
oldstable, it also must be fixed. The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.
Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).
Thank you for working on this issue.
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#559808; Package gnash.
(Wed, 30 Dec 2009 12:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Wed, 30 Dec 2009 12:33:03 GMT) (full text, mbox, link).
Subject: Re: CVE-2009-3736 local privilege escalation
Date: Wed, 30 Dec 2009 13:29:50 +0100
On Sun, Dec 06, 2009 at 11:55:11PM -0500, Michael Gilbert wrote:
> Package: gnash
> Severity: grave
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool. I have determined that this package embeds a
> vulnerable copy of the libtool source code. However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the package is not affected, please feel free to close the bug
> with a message containing the details of what you did to check.
Gnash already has a Build-Depennds on the shared copy, but it appears
as if only the hppa build links against the system copy. I suppose
this needs to be configured explicitely by passing "--without-included-ltdl"
to the configure call.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>: Bug#559808; Package gnash.
(Mon, 25 Jan 2010 10:24:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(Mon, 25 Jan 2010 10:24:12 GMT) (full text, mbox, link).
tags 559808 + help
thanks
On Wed, Dec 30, 2009 at 01:29:50PM +0100, Moritz Muehlenhoff wrote:
> Gnash already has a Build-Depennds on the shared copy, but it appears
> as if only the hppa build links against the system copy. I suppose
> this needs to be configured explicitely by passing "--without-included-ltdl"
> to the configure call.
I've been rebuilding gnash passing explicitly --without-included-ltdl
(patch attached), but that does not seem to be enough to have the main
gnash package linked against system-wide ltdl. ldd confirms that the
gtk-gnash executable is not linked against ltdl, whereas the other
binary packages of gnash does link against the system-wide library (that
was the case also without the patch).
At first sight configure.ac seems to be doing the right thing in _not_
forcing the convenience library (it does that only if older versions of
libltdl are found in the sources, which is no longer the case).
Bottom line: some more investigation is needed
Maintainer: any comment?
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Added tag(s) help.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Mon, 25 Jan 2010 10:24:15 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Wed, 28 Apr 2010 22:03:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>: Bug#559808; Package gnash.
(Wed, 08 Jun 2011 19:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Javier Serrano Polo <javier@jasp.net>:
Extra info received and forwarded to list. Copy sent to Debian Flash Team <pkg-flash-devel@lists.alioth.debian.org>.
(Wed, 08 Jun 2011 19:03:06 GMT) (full text, mbox, link).
Reply sent
to Gabriele Giacone <1o5g4r8o@gmail.com>:
You have taken responsibility.
(Sun, 19 Jun 2011 00:09:03 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sun, 19 Jun 2011 00:09:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.