[go: up one dir, main page]

Debian Bug report logs - #559828
CVE-2009-3736 local privilege escalation

version graph

Package: ski; Maintainer for ski is (unknown);

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 05:06:21 UTC

Severity: grave

Tags: security

Fixed in version 1.3.2-4+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ian Wienand <ianw@debian.org>:
Bug#559828; Package ski. (Mon, 07 Dec 2009 05:06:24 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ian Wienand <ianw@debian.org>. (Mon, 07 Dec 2009 05:06:24 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Mon, 7 Dec 2009 00:03:35 -0500
Package: ski
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

Information forwarded to debian-bugs-dist@lists.debian.org, Ian Wienand <ianw@debian.org>:
Bug#559828; Package ski. (Sat, 12 Dec 2009 23:09:27 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ian Wienand <ianw@debian.org>. (Sat, 12 Dec 2009 23:09:27 GMT) (full text, mbox, link).

Message #10 received at 559828@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 04 Mar 2012 11:05:09 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 04 Mar 2012 11:05:17 GMT) (full text, mbox, link).

Message #15 received at 559828-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 495889-done@bugs.debian.org,497506-done@bugs.debian.org,559828-done@bugs.debian.org,563890-done@bugs.debian.org,
Cc: ski@packages.debian.org, ski@packages.qa.debian.org
Subject: Bug#662066: Removed package(s) from unstable
Date: Sun, 04 Mar 2012 10:59:26 +0000
Version: 1.3.2-4+rm

Dear submitter,

as the package ski has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/662066

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Apr 2012 07:35:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 15 07:15:05 2025; Machine Name: berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.