Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Mon, 07 Dec 2009 05:03:14 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Mon, 7 Dec 2009 00:00:18 -0500
Package: libextractor
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736http://security-tracker.debian.org/tracker/CVE-2009-3736
Reply sent
to daniel@debian.org:
You have taken responsibility.
(Sat, 12 Dec 2009 07:15:08 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 12 Dec 2009 07:15:08 GMT) (full text, mbox, link).
Subject: Re: CVE-2009-3736 local privilege escalation
Date: Sat, 12 Dec 2009 08:11:25 +0100
Version: 0.5.23+dfsg
as far as i can see, libextractor in unstable is not affected as it has
a recent enough ltdl.c embedded, thus closing.
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>: Bug#559819; Package libextractor.
(Sat, 12 Dec 2009 21:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Sat, 12 Dec 2009 21:36:05 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559819@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#559819 closed by Daniel Baumann <daniel@debian.org> (reply
to daniel@debian.org) (Re: CVE-2009-3736 local privilege escalation)
Date: Sat, 12 Dec 2009 16:33:17 -0500
reopen 559819
thanks
On Sat, 12 Dec 2009 07:15:08 +0000 Debian Bug Tracking System wrote:
> as far as i can see, libextractor in unstable is not affected as it has
> a recent enough ltdl.c embedded, thus closing.
i've just check 0.5.23+dfsg-3, and the patch is actually not applied.
please make sure to do a sufficient amount of research before closing
security issues. thanks.
mike
Bug No longer marked as fixed in versions 0.5.23+dfsg and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 12 Dec 2009 21:36:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>: Bug#559819; Package libextractor.
(Sat, 12 Dec 2009 21:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Sat, 12 Dec 2009 21:48:05 GMT) (full text, mbox, link).
Subject: Re: Bug#559819: closed by Daniel Baumann <daniel@debian.org> (reply
to daniel@debian.org) (Re: CVE-2009-3736 local privilege escalation)
Date: Sat, 12 Dec 2009 22:45:33 +0100
Michael Gilbert wrote:
> i've just check 0.5.23+dfsg-3, and the patch is actually not applied.
i've checked the diffs for ltdl.c from libtool 2.2.6a to 2.2.6b and
found nothing that is applicable.
> please make sure to do a sufficient amount of research before closing
> security issues. thanks.
if you have a patch for it, you should at least have the decencie to
share it and attach it to the bug report. everything else is plain
stupid, error prone, and wasting other peoples time.
thanks for consideration.
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>: Bug#559819; Package libextractor.
(Sat, 12 Dec 2009 21:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Sat, 12 Dec 2009 21:57:04 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559819@bugs.debian.org
Subject: Re: Bug#559819: closed by Daniel Baumann <daniel@debian.org> (reply
to daniel@debian.org) (Re: CVE-2009-3736 local privilege escalation)
Date: Sat, 12 Dec 2009 16:52:25 -0500
On Sat, 12 Dec 2009 22:45:33 +0100 Daniel Baumann wrote:
> Michael Gilbert wrote:
> > i've just check 0.5.23+dfsg-3, and the patch is actually not applied.
>
> i've checked the diffs for ltdl.c from libtool 2.2.6a to 2.2.6b and
> found nothing that is applicable.
>
> > please make sure to do a sufficient amount of research before closing
> > security issues. thanks.
>
> if you have a patch for it, you should at least have the decencie to
> share it and attach it to the bug report. everything else is plain
> stupid, error prone, and wasting other peoples time.
>
> thanks for consideration.
you can get to it from the mitre link that was included in the initial
report. the 2.x patch can be found in the redhat bug report [0], 5th
link down.
hope this helps,
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>: Bug#559819; Package libextractor.
(Sat, 12 Dec 2009 23:10:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Sat, 12 Dec 2009 23:10:20 GMT) (full text, mbox, link).
Hi all,
It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem. This is
not a sufficient solution since your package will still use the
embedded libtool code copy. You need to add '--without-included-ltdl'
to your configure arguments to do this right.
A verification, but not really a sufficient proof, is that
'ldd <your binaries>' shows that the system libtool is being used.
On another note, if your package is affected in either stable or
oldstable, it also must be fixed. The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.
Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).
Thank you for working on this issue.
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>: Bug#559819; Package libextractor.
(Mon, 21 Dec 2009 22:12:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>.
(Mon, 21 Dec 2009 22:12:13 GMT) (full text, mbox, link).
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 559819@bugs.debian.org
Subject: Re: Bug#559819: closed by Daniel Baumann <daniel@debian.org> (reply to daniel@debian.org) (Re: CVE-2009-3736 local privilege escalation)
Date: Mon, 21 Dec 2009 23:09:01 +0100
On Sat, Dec 12, 2009 at 10:45:33PM +0100, Daniel Baumann wrote:
> if you have a patch for it, you should at least have the decencie to
> share it and attach it to the bug report. everything else is plain
> stupid, error prone, and wasting other peoples time.
>
> thanks for consideration.
If possible, please fix this by linking against the system copy of
ltdl.
Cheers,
Moritz
Reply sent
to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(Sun, 27 Dec 2009 15:24:10 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sun, 27 Dec 2009 15:24:10 GMT) (full text, mbox, link).
Subject: Bug#559819: fixed in libextractor 0.5.23+dfsg-4
Date: Sun, 27 Dec 2009 15:21:11 +0000
Source: libextractor
Source-Version: 0.5.23+dfsg-4
We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive:
extract_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/extract_0.5.23+dfsg-4_i386.deb
libextractor-dbg_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-dbg_0.5.23+dfsg-4_i386.deb
libextractor-dev_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-dev_0.5.23+dfsg-4_i386.deb
libextractor-plugins_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-plugins_0.5.23+dfsg-4_i386.deb
libextractor1c2a_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor1c2a_0.5.23+dfsg-4_i386.deb
libextractor_0.5.23+dfsg-4.diff.gz
to main/libe/libextractor/libextractor_0.5.23+dfsg-4.diff.gz
libextractor_0.5.23+dfsg-4.dsc
to main/libe/libextractor/libextractor_0.5.23+dfsg-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559819@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated libextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 27 Dec 2009 14:44:18 +0100
Source: libextractor
Binary: libextractor1c2a libextractor-plugins libextractor-dbg libextractor-dev extract
Architecture: source i386
Version: 0.5.23+dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Debian GNUnet Maintainers <gnunet@lists.debian-maintainers.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
extract - displays meta-data from files of arbitrary type
libextractor-dbg - extracts meta-data from files of arbitrary type (debug)
libextractor-dev - extracts meta-data from files of arbitrary type (development)
libextractor-plugins - extracts meta-data from files of arbitrary type (plugins)
libextractor1c2a - extracts meta-data from files of arbitrary type (library)
Closes: 559819
Changes:
libextractor (0.5.23+dfsg-4) unstable; urgency=low
.
* Adding explicit debian source version 1.0 until switch to 3.0.
* Adding patch from Vincent Danen <vdanen@redhat.com> to fix flaw in
embedded libtool [CVE-2009-3736] (Closes: #559819).
Checksums-Sha1:
6b12ab472a2aeb628936afcb7da729c36599fa0f 1598 libextractor_0.5.23+dfsg-4.dsc
85c4d0eb5c4cedb82e4140d5c9d9543c18666908 7816 libextractor_0.5.23+dfsg-4.diff.gz
520efddb6576a29d4f5436db7f5d439145eef527 7588160 libextractor1c2a_0.5.23+dfsg-4_i386.deb
536a79b76daa6bc13d0977132f561a2f8b115f02 40606 libextractor-plugins_0.5.23+dfsg-4_i386.deb
8215b9d9cc82da2293c82b825aa1a53169bbda9d 417260 libextractor-dbg_0.5.23+dfsg-4_i386.deb
b6cded587a0d72f90094b05388ed0663fe478e00 22308 libextractor-dev_0.5.23+dfsg-4_i386.deb
4346e8ac06acf2fd79701eeabfa0b6f2e3ae53c0 86650 extract_0.5.23+dfsg-4_i386.deb
Checksums-Sha256:
53e3478d215202ed97673214eb17f8cd82124053a7e7d8bcb078d240ad730a99 1598 libextractor_0.5.23+dfsg-4.dsc
84da6666c46969c14f5811720ba91b7e55b1b4b537cfe07f7f36609d5b352f35 7816 libextractor_0.5.23+dfsg-4.diff.gz
84162fa0537109387c5a0bfe3cdbfdb5f74b35602444ae8616ece5d829ab16f1 7588160 libextractor1c2a_0.5.23+dfsg-4_i386.deb
90ea9c2abe616442ae3589c4adcf69ec143228015ae017a7f3d9280460bac06c 40606 libextractor-plugins_0.5.23+dfsg-4_i386.deb
f940af313240d2abd371840168f2babbfbbb3ed2a5d0e292c0a8513661c6c573 417260 libextractor-dbg_0.5.23+dfsg-4_i386.deb
f4fd38c271ab6c0fa1869d5e82aa8e878f5771b1553ff83beab3ed644319fce7 22308 libextractor-dev_0.5.23+dfsg-4_i386.deb
d947b52843d7f65536feac82f3fd537c7d3908d4bb7660d8cd328029042c4b5c 86650 extract_0.5.23+dfsg-4_i386.deb
Files:
ed872c1a97e2fb262c4b626cbbd1ac10 1598 libs optional libextractor_0.5.23+dfsg-4.dsc
7c58a433abb9d6d8e5376413a6ddad74 7816 libs optional libextractor_0.5.23+dfsg-4.diff.gz
68a783af138202827f2169cb24050998 7588160 libs optional libextractor1c2a_0.5.23+dfsg-4_i386.deb
e60e636da63a86dc2db430ac68ebbe71 40606 libs optional libextractor-plugins_0.5.23+dfsg-4_i386.deb
4ca130cb566facb7c6fd50f5bf6621aa 417260 debug extra libextractor-dbg_0.5.23+dfsg-4_i386.deb
323191c098720a6347b520ffdc7af67e 22308 libdevel optional libextractor-dev_0.5.23+dfsg-4_i386.deb
38820d3bcaaa76c8fb7479810b002c0b 86650 utils optional extract_0.5.23+dfsg-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks3ZSoACgkQ+C5cwEsrK55srgCffzhOpUTJKI+0594Su0WLjY7R
Rq8AnjwNzj9KXuh1eJ3kAd6rGWiYoG+k
=FRGE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 08:10:16 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.