On Mon, Dec 07, 2009 at 12:05:22AM -0500, Michael Gilbert wrote:
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool. I have determined that this package embeds a
> vulnerable copy of the libtool source code. However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have
> not had time to determine whether the vulnerable code is actually
> present in any of the binary packages. Please determine whether this
> is the case. If the binary packages are not affected, please feel free
> to close the bug with a message containing the details of what you did
> to check.
I believe this bug report can be closed as false positive. I detail
below my verifications to that conclusion and I copy the security team
for insights.
- the imagemagick source package build-depends on libltdl-dev
- all binaries built by imagemagick depends (either directly or
transitvely on libltdl7, see shell log [1]) -- tested on amd64
- the build log of latest imagemagick on amd64 says:
checking for ltdl.h... yes
checking whether lt_dlinterface_register is declared... yes
checking for lt_dladvise_preload in -lltdl... yes
checking where to find libltdl headers...
checking where to find libltdl library... -lltdl
it also says, at link time
LIBS = -lMagickCore -llcms -ltiff -lfreetype -ljpeg -llqr-1
-lglib-2.0 -lfontconfig -lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lm -lgomp
-lpthread -lltdl
without any specific CFLAGS/LDFLAGS.
>From all the above, I'm inclined to conclude that imagemagick uses
system-wide ltdl and hence is unaffected by this bug. Confirmation
and/or comments would be very welcome.
Cheers.
[1] grep ^Package imagemagick-6.5.8.3/debian/control |cut -f 2 -d' '|xargs
aptitude download
# snip
z...@usha:/tmp$ for f in *.deb ; do echo $f ; dpkg --info $f |grep Depends:
|grep -v libltdl7 ; done
imagemagick_7%3a6.5.8.3-1_amd64.deb
imagemagick-dbg_7%3a6.5.8.3-1_amd64.deb
Depends: imagemagick (= 7:6.5.8.3-1), libmagick++2 (= 7:6.5.8.3-1),
libmagickcore2-extra (= 7:6.5.8.3-1), perlmagick (= 7:6.5.8.3-1)
imagemagick-doc_7%3a6.5.8.3-1_all.deb
libmagick++2_7%3a6.5.8.3-1_amd64.deb
libmagickcore2_7%3a6.5.8.3-1_amd64.deb
libmagickcore2-extra_7%3a6.5.8.3-1_amd64.deb
libmagickcore-dev_7%3a6.5.8.3-1_amd64.deb
libmagick++-dev_7%3a6.5.8.3-1_amd64.deb
Depends: libmagick++2 (= 7:6.5.8.3-1), libmagickcore-dev (= 7:6.5.8.3-1),
libmagickwand-dev (= 7:6.5.8.3-1)
libmagickwand2_7%3a6.5.8.3-1_amd64.deb
libmagickwand-dev_7%3a6.5.8.3-1_amd64.deb
Depends: libmagickwand2 (= 7:6.5.8.3-1), libmagickcore2-extra (=
7:6.5.8.3-1), libmagickcore-dev (= 7:6.5.8.3-1)
perlmagick_7%3a6.5.8.3-1_amd64.deb
Depends: perl (>= 5.10.1-8), perlapi-5.10.1, libc6 (>= 2.4),
libmagickcore2 (>= 7:6.5.8.3), libperl5.10 (>= 5.10.1)
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
