Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Moritz Muehlenhoff 
On Tue, Dec 08, 2009 at 01:42:23AM +0100, Manuel Prinz wrote:
 Here's the debdiff. Changes are checked into our SVN repo.
 
 Best regards
 Manuel

You should rather use the copy of libltdl currently in the
archive or is there a technical reason, which prevents this?

Cheers,
Moritz



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Manuel Prinz 
Hi Moritz!

Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
 You should rather use the copy of libltdl currently in the
 archive or is there a technical reason, which prevents this?

I'm aware of that and discussed it with upstream. They said it would
require quite some changes to the build system, since they decided to
use a copy of libtool for technical and practical reasons and only
support that. I of course might be able to hack support for using the
system libtool into it but I thought fixing security issues in a timely
manner is generally prefered, especially if the issue is that simple to
fix.

Also, I do not quite understand how using Debian's libtool would help,
as it seems vulnerable as well and is not fixed yet. If I misunderstood
the situation, please correct me.

Don't get me wrong: I really appreciate the work the security team does
and I wanted to help you by fixing the issue ASAP. If this was wrong, I
apologize! The solution as is should be seen as an interim solution. I
will try to make Open MPI use libtool, though this is something I can't
see to happen in a reasonable time frame at the moment. Leaving RC bugs
open for weeks does not help anyone, so I fixed the issue the way I did,
by patching the local copy. If this is not an acceptable solution,
please reopen. I just had good intentions, and am open to criticism and
discussion, and willed to learn.

Also, please clarify on the state in etch and lenny. We did not build
static libs, so no .la files there. This version of libtool is not used
outside of MPI. Am I supposed to fix those packages as well as users
might modify debian/rules and build static binaries? I did assume this
not to be the case, but I'm irritated now.

Best regards
Manuel




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Moritz Muehlenhoff 
On Tue, Dec 08, 2009 at 09:46:45PM +0100, Manuel Prinz wrote:
 Hi Moritz!
 
 Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
  You should rather use the copy of libltdl currently in the
  archive or is there a technical reason, which prevents this?
 
 I'm aware of that and discussed it with upstream. They said it would
 require quite some changes to the build system, since they decided to
 use a copy of libtool for technical and practical reasons and only
 support that. I of course might be able to hack support for using the
 system libtool into it but I thought fixing security issues in a timely
 manner is generally prefered, especially if the issue is that simple to
 fix.
 
 Also, I do not quite understand how using Debian's libtool would help,
 as it seems vulnerable as well and is not fixed yet. If I misunderstood
 the situation, please correct me.
 
 Don't get me wrong: I really appreciate the work the security team does
 and I wanted to help you by fixing the issue ASAP. If this was wrong, I
 apologize! The solution as is should be seen as an interim solution. I
 will try to make Open MPI use libtool, though this is something I can't
 see to happen in a reasonable time frame at the moment. Leaving RC bugs
 open for weeks does not help anyone, so I fixed the issue the way I did,
 by patching the local copy. If this is not an acceptable solution,
 please reopen. I just had good intentions, and am open to criticism and
 discussion, and willed to learn.

No problem, fixing the issue ad hoc is of course preferred and using the
system copy the long term goal (if there're technical issues (that's why
I asked) you can also leave it as-is). Embedding a copy of libtool is
rather harmless to, e.g. an embedded copy of libavcodec.
 
 Also, please clarify on the state in etch and lenny. We did not build
 static libs, so no .la files there. This version of libtool is not used
 outside of MPI. Am I supposed to fix those packages as well as users
 might modify debian/rules and build static binaries? I did assume this
 not to be the case, but I'm irritated now.

You can leave etch and lenny untouched, the impact doesn't warrant an
update.

Cheers,
Moritz



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Manuel Prinz 
Hi Moritz!

Am Dienstag, den 08.12.2009, 22:28 +0100 schrieb Moritz Muehlenhoff:
 You can leave etch and lenny untouched, the impact doesn't warrant an
 update.

Thanks for clarifying!

Best regards
Manuel




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Sylvestre Ledru 
Manuel, are you going to handle this issue or do you want me to do it ?

Thanks
Sylvestre

Le lundi 07 décembre 2009 à 00:06 -0500, Michael Gilbert a écrit :
 Package: openmpi
 Severity: grave
 Tags: security
 
 Hi,
 
 The following CVE (Common Vulnerabilities  Exposures) id was
 published for libtool.  I have determined that this package embeds a
 vulnerable copy of the libtool source code.  However, since this is a
 mass bug filing (due to so many packages embedding libtool), I have not
 had time to determine whether the vulnerable code is actually present
 in any of the binary packages. Please determine whether this is the
 case. If the binary packages are not affected, please feel free to close
 the bug with a message containing the details of what you did to check.
 
 CVE-2009-3736[0]:
 | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
 | attempts to open a .la file in the current working directory, which
 | allows local users to gain privileges via a Trojan horse file.
 
 Note that this problem also affects etch and lenny, so if your package
 is affected, please coordinate with the security team to release the
 DSA for the affected packages.
 
 If you fix the vulnerability please also make sure to include the
 CVE id in your changelog entry.
 
 For further information see:
 
 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
 http://security-tracker.debian.org/tracker/CVE-2009-3736
 
 
 





-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Sylvestre Ledru 
Le lundi 07 décembre 2009 à 13:30 +0100, Manuel Prinz a écrit :
 Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru:
  Manuel, are you going to handle this issue or do you want me to do it ?
 
 I can take care of that. I've forwarded this upstream already. The best
 option would be having a fixed libtool available, or trying to use the
 backported patch in the CVE. Information on fixing this is quite sparse,
 unfortunately.
 
 I hope that there will be some more information in the thread on d-d. I
 can take care of it this evening. If you want to go faster, feel free to
 do so. You don't need to ask for permission. We're a team, aren't we? ;)
Indeed but sometimes, you have upcoming modifications :)

Sylvestre






-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Manuel Prinz 
Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru:
 Manuel, are you going to handle this issue or do you want me to do it ?

I can take care of that. I've forwarded this upstream already. The best
option would be having a fixed libtool available, or trying to use the
backported patch in the CVE. Information on fixing this is quite sparse,
unfortunately.

I hope that there will be some more information in the thread on d-d. I
can take care of it this evening. If you want to go faster, feel free to
do so. You don't need to ask for permission. We're a team, aren't we? ;)

Best regards
Manuel




-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Manuel Prinz 
Hi Michael!

Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
 The following CVE (Common Vulnerabilities  Exposures) id was
 published for libtool.  I have determined that this package embeds a
 vulnerable copy of the libtool source code.  However, since this is a
 mass bug filing (due to so many packages embedding libtool), I have not
 had time to determine whether the vulnerable code is actually present
 in any of the binary packages. Please determine whether this is the
 case. If the binary packages are not affected, please feel free to close
 the bug with a message containing the details of what you did to check.

AIUI, only the versions in squeeze and sid (identical) are affected. We
did not have static library support in the versions in etch and lenny,
so there are no .la files contained in the packages and they therefore
should not be vulnerable.

I'm preparing a fix at the moment, which I can upload soon. I'd like to
know with which priority to upload, and where. The ST suggests urgency
of medium, but I'm unsure which queue to use. As I understand dev-ref,
an upload to ftp-master should suffice since {old,}stable is not
affected. (Sorry, first CVE…)

I'll send the debdiff for review as soon as the build finishes.

Best regards
Manuel




--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Manuel Prinz 
Here's the debdiff. Changes are checked into our SVN repo.

Best regards
Manuel
diff -u openmpi-1.3.3/debian/changelog openmpi-1.3.3/debian/changelog
--- openmpi-1.3.3/debian/changelog
+++ openmpi-1.3.3/debian/changelog
@@ -1,3 +1,10 @@
+openmpi (1.3.3-4) unstable; urgency=medium
+
+  * Fixed security issue in copy of libtool, see CVE-2009-3736.
+Closes: #559836.
+
+ -- Manuel Prinz man...@debian.org  Tue, 08 Dec 2009 00:58:02 +0100
+
 openmpi (1.3.3-3.1) unstable; urgency=low
 
   * Non-maintainer upload with the maintainer's permission.
diff -u openmpi-1.3.3/debian/patches/series openmpi-1.3.3/debian/patches/series
--- openmpi-1.3.3/debian/patches/series
+++ openmpi-1.3.3/debian/patches/series
@@ -4,0 +5 @@
+libtool
only in patch2:
unchanged:
--- openmpi-1.3.3.orig/debian/patches/libtool
+++ openmpi-1.3.3/debian/patches/libtool
@@ -0,0 +1,31 @@
+Description: Fix security issue in libtool copy
+ This patch fixes a security issue in libtool's dlopen(). This is CVE-2009-3736
+ (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736).
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559836
+Author: Manuel Prinz man...@debian.org
+Last-Update: 2009-12-08
+---
+ opal/libltdl/ltdl.c |5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/opal/libltdl/ltdl.c
 b/opal/libltdl/ltdl.c
+@@ -529,7 +529,8 @@
+   /* Try to open the old library first; if it was dlpreopened,
+  we want the preopened version of it, even if a dlopenable
+  module is available.  */
+-  if (old_name  tryall_dlopen (handle, old_name, advise, 0) == 0)
++  if (old_name  tryall_dlopen (handle, old_name,
++			  advise, lt_dlloader_find (lt_preopen) ) == 0)
+ {
+   return 0;
+ }
+@@ -1345,7 +1346,7 @@
+ 	}
+ #endif
+ 	}
+-  if (!file)
++  else
+ 	{
+ 	  file = fopen (attempt, LT_READTEXT_MODE);
+ 	}

Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Luk Claes 
Manuel Prinz wrote:
 Hi Michael!
 
 Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
 The following CVE (Common Vulnerabilities  Exposures) id was
 published for libtool.  I have determined that this package embeds a
 vulnerable copy of the libtool source code.  However, since this is a
 mass bug filing (due to so many packages embedding libtool), I have not
 had time to determine whether the vulnerable code is actually present
 in any of the binary packages. Please determine whether this is the
 case. If the binary packages are not affected, please feel free to close
 the bug with a message containing the details of what you did to check.
 
 AIUI, only the versions in squeeze and sid (identical) are affected. We
 did not have static library support in the versions in etch and lenny,
 so there are no .la files contained in the packages and they therefore
 should not be vulnerable.
 
 I'm preparing a fix at the moment, which I can upload soon. I'd like to
 know with which priority to upload, and where. The ST suggests urgency
 of medium, but I'm unsure which queue to use. As I understand dev-ref,
 an upload to ftp-master should suffice since {old,}stable is not
 affected. (Sorry, first CVE…)

As only sid and squeeze are affected, uploading with medium urgency to
unstable should be enough.

Cheers

Luk



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#559836: CVE-2009-3736 local privilege escalation

2009-12-06 Thread Michael Gilbert 
Package: openmpi
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities  Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org