On Tue, 2 Mar 2010 23:14:50 +0100, Stefano Zacchiroli wrote: > On Mon, Dec 07, 2009 at 12:05:22AM -0500, Michael Gilbert wrote: > > The following CVE (Common Vulnerabilities & Exposures) id was > > published for libtool. I have determined that this package embeds a > > vulnerable copy of the libtool source code. However, since this is a > > mass bug filing (due to so many packages embedding libtool), I have > > not had time to determine whether the vulnerable code is actually > > present in any of the binary packages. Please determine whether this > > is the case. If the binary packages are not affected, please feel free > > to close the bug with a message containing the details of what you did > > to check. > > I believe this bug report can be closed as false positive. I detail > below my verifications to that conclusion and I copy the security team > for insights. > > - the imagemagick source package build-depends on libltdl-dev > > - all binaries built by imagemagick depends (either directly or > transitvely on libltdl7, see shell log [1]) -- tested on amd64 > > - the build log of latest imagemagick on amd64 says: > > checking for ltdl.h... yes > checking whether lt_dlinterface_register is declared... yes > checking for lt_dladvise_preload in -lltdl... yes > checking where to find libltdl headers... > checking where to find libltdl library... -lltdl > > it also says, at link time > > LIBS = -lMagickCore -llcms -ltiff -lfreetype -ljpeg -llqr-1 > -lglib-2.0 -lfontconfig -lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lm -lgomp > -lpthread -lltdl > > without any specific CFLAGS/LDFLAGS. > > From all the above, I'm inclined to conclude that imagemagick uses > system-wide ltdl and hence is unaffected by this bug. Confirmation > and/or comments would be very welcome.
also: $ ldd /usr/bin/compare | grep ltdl libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7009000) ... (true for all of the other imagemagick binaries too) i would say this is more than enough checking, and the bug can be safely closed. thanks! mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org