Bug#559841: CVE-2009-3736 local privilege escalation
Although wml has an embedded copy of Libtool's ltdl.c, it is not affected by this bug. The possibly vulnerable file is located in a unused directory containing mp4h source code. Mp4h has its own source package, which builds the binary package of the same name. Wml uses the executable provided by the package mp4h, instead of building it by itself. I also checked this by comparing file access times before and after I build the package. The source package wml has a lot of unused files, this could be documented in README.Source. Since Debian ships a repackaged wml anyway, these files could also be removed from the tarball. An other option is simply closing this bug. This decision is up to the maintainer, I just change the severity and remove the security tag. Regards Carsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100216223748.gk24...@foghorn.stateful.de
Bug#559841: CVE-2009-3736 local privilege escalation
Hi! * Michael Gilbert michael.s.gilb...@gmail.com [091207 06:08]: The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. Could it be, that the package wml is not affected? While the source package indeed contains the named sources (but I found no version in it), the only shared object I found in the binary package is /usr/lib/wml/perl/lib/i486-linux-gnu-thread-multi/auto/WML/GD/GD.so. And ldd doesn't list it: ldd /usr/lib/wml/perl/lib/i486-linux-gnu-thread-multi/auto/WML/GD/GD.so linux-gate.so.1 = (0xb7fee000) libm.so.6 = /lib/i686/cmov/libm.so.6 (0xb7fb1000) libc.so.6 = /lib/i686/cmov/libc.so.6 (0xb7e6a000) /lib/ld-linux.so.2 (0xb7fef000) Best Regards, Alexander -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559841: CVE-2009-3736 local privilege escalation
Package: wml Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so if your package is affected, please coordinate with the security team to release the DSA for the affected packages. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org