Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation
On Tue, Dec 08, 2009 at 01:42:23AM +0100, Manuel Prinz wrote: Here's the debdiff. Changes are checked into our SVN repo. Best regards Manuel You should rather use the copy of libltdl currently in the archive or is there a technical reason, which prevents this? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation
Hi Moritz! Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff: You should rather use the copy of libltdl currently in the archive or is there a technical reason, which prevents this? I'm aware of that and discussed it with upstream. They said it would require quite some changes to the build system, since they decided to use a copy of libtool for technical and practical reasons and only support that. I of course might be able to hack support for using the system libtool into it but I thought fixing security issues in a timely manner is generally prefered, especially if the issue is that simple to fix. Also, I do not quite understand how using Debian's libtool would help, as it seems vulnerable as well and is not fixed yet. If I misunderstood the situation, please correct me. Don't get me wrong: I really appreciate the work the security team does and I wanted to help you by fixing the issue ASAP. If this was wrong, I apologize! The solution as is should be seen as an interim solution. I will try to make Open MPI use libtool, though this is something I can't see to happen in a reasonable time frame at the moment. Leaving RC bugs open for weeks does not help anyone, so I fixed the issue the way I did, by patching the local copy. If this is not an acceptable solution, please reopen. I just had good intentions, and am open to criticism and discussion, and willed to learn. Also, please clarify on the state in etch and lenny. We did not build static libs, so no .la files there. This version of libtool is not used outside of MPI. Am I supposed to fix those packages as well as users might modify debian/rules and build static binaries? I did assume this not to be the case, but I'm irritated now. Best regards Manuel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation
On Tue, Dec 08, 2009 at 09:46:45PM +0100, Manuel Prinz wrote: Hi Moritz! Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff: You should rather use the copy of libltdl currently in the archive or is there a technical reason, which prevents this? I'm aware of that and discussed it with upstream. They said it would require quite some changes to the build system, since they decided to use a copy of libtool for technical and practical reasons and only support that. I of course might be able to hack support for using the system libtool into it but I thought fixing security issues in a timely manner is generally prefered, especially if the issue is that simple to fix. Also, I do not quite understand how using Debian's libtool would help, as it seems vulnerable as well and is not fixed yet. If I misunderstood the situation, please correct me. Don't get me wrong: I really appreciate the work the security team does and I wanted to help you by fixing the issue ASAP. If this was wrong, I apologize! The solution as is should be seen as an interim solution. I will try to make Open MPI use libtool, though this is something I can't see to happen in a reasonable time frame at the moment. Leaving RC bugs open for weeks does not help anyone, so I fixed the issue the way I did, by patching the local copy. If this is not an acceptable solution, please reopen. I just had good intentions, and am open to criticism and discussion, and willed to learn. No problem, fixing the issue ad hoc is of course preferred and using the system copy the long term goal (if there're technical issues (that's why I asked) you can also leave it as-is). Embedding a copy of libtool is rather harmless to, e.g. an embedded copy of libavcodec. Also, please clarify on the state in etch and lenny. We did not build static libs, so no .la files there. This version of libtool is not used outside of MPI. Am I supposed to fix those packages as well as users might modify debian/rules and build static binaries? I did assume this not to be the case, but I'm irritated now. You can leave etch and lenny untouched, the impact doesn't warrant an update. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation
Hi Moritz! Am Dienstag, den 08.12.2009, 22:28 +0100 schrieb Moritz Muehlenhoff: You can leave etch and lenny untouched, the impact doesn't warrant an update. Thanks for clarifying! Best regards Manuel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: CVE-2009-3736 local privilege escalation
Manuel, are you going to handle this issue or do you want me to do it ? Thanks Sylvestre Le lundi 07 décembre 2009 à 00:06 -0500, Michael Gilbert a écrit : Package: openmpi Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so if your package is affected, please coordinate with the security team to release the DSA for the affected packages. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: CVE-2009-3736 local privilege escalation
Le lundi 07 décembre 2009 à 13:30 +0100, Manuel Prinz a écrit : Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru: Manuel, are you going to handle this issue or do you want me to do it ? I can take care of that. I've forwarded this upstream already. The best option would be having a fixed libtool available, or trying to use the backported patch in the CVE. Information on fixing this is quite sparse, unfortunately. I hope that there will be some more information in the thread on d-d. I can take care of it this evening. If you want to go faster, feel free to do so. You don't need to ask for permission. We're a team, aren't we? ;) Indeed but sometimes, you have upcoming modifications :) Sylvestre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: CVE-2009-3736 local privilege escalation
Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru: Manuel, are you going to handle this issue or do you want me to do it ? I can take care of that. I've forwarded this upstream already. The best option would be having a fixed libtool available, or trying to use the backported patch in the CVE. Information on fixing this is quite sparse, unfortunately. I hope that there will be some more information in the thread on d-d. I can take care of it this evening. If you want to go faster, feel free to do so. You don't need to ask for permission. We're a team, aren't we? ;) Best regards Manuel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation
Hi Michael! Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert: The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. AIUI, only the versions in squeeze and sid (identical) are affected. We did not have static library support in the versions in etch and lenny, so there are no .la files contained in the packages and they therefore should not be vulnerable. I'm preparing a fix at the moment, which I can upload soon. I'd like to know with which priority to upload, and where. The ST suggests urgency of medium, but I'm unsure which queue to use. As I understand dev-ref, an upload to ftp-master should suffice since {old,}stable is not affected. (Sorry, first CVE…) I'll send the debdiff for review as soon as the build finishes. Best regards Manuel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation
Here's the debdiff. Changes are checked into our SVN repo. Best regards Manuel diff -u openmpi-1.3.3/debian/changelog openmpi-1.3.3/debian/changelog --- openmpi-1.3.3/debian/changelog +++ openmpi-1.3.3/debian/changelog @@ -1,3 +1,10 @@ +openmpi (1.3.3-4) unstable; urgency=medium + + * Fixed security issue in copy of libtool, see CVE-2009-3736. +Closes: #559836. + + -- Manuel Prinz man...@debian.org Tue, 08 Dec 2009 00:58:02 +0100 + openmpi (1.3.3-3.1) unstable; urgency=low * Non-maintainer upload with the maintainer's permission. diff -u openmpi-1.3.3/debian/patches/series openmpi-1.3.3/debian/patches/series --- openmpi-1.3.3/debian/patches/series +++ openmpi-1.3.3/debian/patches/series @@ -4,0 +5 @@ +libtool only in patch2: unchanged: --- openmpi-1.3.3.orig/debian/patches/libtool +++ openmpi-1.3.3/debian/patches/libtool @@ -0,0 +1,31 @@ +Description: Fix security issue in libtool copy + This patch fixes a security issue in libtool's dlopen(). This is CVE-2009-3736 + (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736). +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559836 +Author: Manuel Prinz man...@debian.org +Last-Update: 2009-12-08 +--- + opal/libltdl/ltdl.c |5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/opal/libltdl/ltdl.c b/opal/libltdl/ltdl.c +@@ -529,7 +529,8 @@ + /* Try to open the old library first; if it was dlpreopened, + we want the preopened version of it, even if a dlopenable + module is available. */ +- if (old_name tryall_dlopen (handle, old_name, advise, 0) == 0) ++ if (old_name tryall_dlopen (handle, old_name, ++ advise, lt_dlloader_find (lt_preopen) ) == 0) + { + return 0; + } +@@ -1345,7 +1346,7 @@ + } + #endif + } +- if (!file) ++ else + { + file = fopen (attempt, LT_READTEXT_MODE); + }
Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation
Manuel Prinz wrote: Hi Michael! Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert: The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. AIUI, only the versions in squeeze and sid (identical) are affected. We did not have static library support in the versions in etch and lenny, so there are no .la files contained in the packages and they therefore should not be vulnerable. I'm preparing a fix at the moment, which I can upload soon. I'd like to know with which priority to upload, and where. The ST suggests urgency of medium, but I'm unsure which queue to use. As I understand dev-ref, an upload to ftp-master should suffice since {old,}stable is not affected. (Sorry, first CVE…) As only sid and squeeze are affected, uploading with medium urgency to unstable should be enough. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559836: CVE-2009-3736 local privilege escalation
Package: openmpi Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the binary packages are not affected, please feel free to close the bug with a message containing the details of what you did to check. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so if your package is affected, please coordinate with the security team to release the DSA for the affected packages. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org