Your message dated Sun, 10 Jan 2010 21:33:21 +0000
with message-id <[email protected]>
and subject line Bug#559840: fixed in sdcc 2.9.0-5
has caused the Debian Bug report #559840,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559840: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sdcc
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: sdcc
Source-Version: 2.9.0-5
We believe that the bug you reported is fixed in the latest version of
sdcc, which is due to be installed in the Debian FTP archive:
sdcc-doc_2.9.0-5_all.deb
to main/s/sdcc/sdcc-doc_2.9.0-5_all.deb
sdcc-libraries_2.9.0-5_all.deb
to main/s/sdcc/sdcc-libraries_2.9.0-5_all.deb
sdcc-ucsim_2.9.0-5_i386.deb
to main/s/sdcc/sdcc-ucsim_2.9.0-5_i386.deb
sdcc_2.9.0-5.diff.gz
to main/s/sdcc/sdcc_2.9.0-5.diff.gz
sdcc_2.9.0-5.dsc
to main/s/sdcc/sdcc_2.9.0-5.dsc
sdcc_2.9.0-5_i386.deb
to main/s/sdcc/sdcc_2.9.0-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gudjon I. Gudjonsson <[email protected]> (supplier of updated sdcc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 09 Jan 2010 05:47:41 +0100
Source: sdcc
Binary: sdcc sdcc-libraries sdcc-ucsim sdcc-doc
Architecture: source i386 all
Version: 2.9.0-5
Distribution: unstable
Urgency: low
Maintainer: Gudjon I. Gudjonsson <[email protected]>
Changed-By: Gudjon I. Gudjonsson <[email protected]>
Description:
sdcc - Small Device C Compiler
sdcc-doc - Small Device C Compiler (documentation)
sdcc-libraries - Small Device C Compiler (libraries)
sdcc-ucsim - Micro-controller simulator for SDCC
Closes: 559840 560520
Changes:
sdcc (2.9.0-5) unstable; urgency=low
.
* Add patch 03_fix_cmdlex to fix compilation (Closes: #560520)
* Add patch 04_libtool_fix to fix CVE-2009-3736 local privilege escalation
After patching, ltld.c is equal to the ltld.c file in libtool 2.2.6B
(Closes: #559840)
* Add README.source file
Checksums-Sha1:
d8142d32ae55f649fa6734ca81613beae871e50d 1154 sdcc_2.9.0-5.dsc
ec17ba4ca1774eb27a0186e346d51341168113d2 54309 sdcc_2.9.0-5.diff.gz
f40cf8bf21721615b21ab6e93f49ecd277591929 1312186 sdcc_2.9.0-5_i386.deb
0dbf5dc5021f3969f4e9ac5876cb386cf0cab110 893474 sdcc-ucsim_2.9.0-5_i386.deb
24bdf4d4e7af63ba187db135858e8e9bf7496f5c 5814102 sdcc-libraries_2.9.0-5_all.deb
033c04b223e48907f218bfd69a82eb6ccfacb5d5 589540 sdcc-doc_2.9.0-5_all.deb
Checksums-Sha256:
3369703b0376bfd50a66838e814a4d1ad6a169135129cd88777bfa6865220ad4 1154
sdcc_2.9.0-5.dsc
5623d391bf9a73d5e602e4ca0512812d8aa51f3dd4d931e9e5c7991edb7edb43 54309
sdcc_2.9.0-5.diff.gz
4f4270c3ee401180e533317361fb81396d6486cc6458b04e0c9b0289cfd7fbc9 1312186
sdcc_2.9.0-5_i386.deb
12016a3b8dc379ea32a3d1a4e110467f1ce3a7c2f8209db0c6a5f805ae4f47fb 893474
sdcc-ucsim_2.9.0-5_i386.deb
ee3312b0b323c71240218786e7fd5cfc0aebf5c9c531c6ce094873b21ba6fc7e 5814102
sdcc-libraries_2.9.0-5_all.deb
e7b337c35c3a759e8a0942001f2e519fb7668a6fe6e826c598a6b04036c609f7 589540
sdcc-doc_2.9.0-5_all.deb
Files:
d5f3afceba1d5eb9e1bfa1f784082cdb 1154 electronics optional sdcc_2.9.0-5.dsc
fc65c5b5c28033b71c4b8d0ed47f7df1 54309 electronics optional
sdcc_2.9.0-5.diff.gz
479192141a7d8be034c99fe627aac6a0 1312186 electronics optional
sdcc_2.9.0-5_i386.deb
b5133e015f8bea8415cca7d877ab3b46 893474 electronics optional
sdcc-ucsim_2.9.0-5_i386.deb
b67b43e5a16c90c794ea3465729c3617 5814102 electronics optional
sdcc-libraries_2.9.0-5_all.deb
5ff1fdc6c7d183df59794c08acb8e72d 589540 doc optional sdcc-doc_2.9.0-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktKNQwACgkQXm3vHE4uylrRbACfTu9RJTApafxeGuZuPdm3/uHq
2UQAnAwMedtBJIBTvHJ23dmWg32GGRdO
=7enT
-----END PGP SIGNATURE-----
--- End Message ---
