fixed 559799 2.4.1-1 severity 559799 important thanks On Sun, 2009-12-06 at 23:50:40 -0500, Michael Gilbert wrote: > Package: bochs > Severity: grave > Tags: security
> The following CVE (Common Vulnerabilities & Exposures) id was > published for libtool. I have determined that this package embeds a > vulnerable copy of the libtool source code. However, since this is a > mass bug filing (due to so many packages embedding libtool), I have not > had time to determine whether the vulnerable code is actually present > in any of the binary packages. Please determine whether this is the > case. If the package is not affected, please feel free to close the bug > with a message containing the details of what you did to check. > > CVE-2009-3736[0]: > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > | attempts to open a .la file in the current working directory, which > | allows local users to gain privileges via a Trojan horse file. > > Note that this problem also affects etch and lenny, so if your package > is affected, please coordinate with the security team to release the > DSA for the affected packages. As explained on debian-devel the conditions needed to trigger either of the problems are several. In this case, bochs version 2.4.1-1 and later are not vulnerable as I patched it some time ago to load the ‘.so’ files directly instead of using the ‘.la’ files, so testing and unstable are fine. Then stable is not vulnerable to the ‘.a’ problem as the ‘.la’ files for bochs plugins have an empty old_library field. It's supposedly vulnerable to the ‘.la’ problem, but all plugins are shipped in the bochs package except for the UI ones, which are shipped in a different packages but depended by bochs, so the user will have at least one UI plugin. And they are the ones responsible for configuring which one to load from the configuration file, so the case where the user tries to run continuosly bochs in random directories w/ a non-existing plugin seems pretty contrived to me. That's why I've lowered the severity, it might still be good to update bochs in stable and olstable, but it does not seem a really huge problem to me, and it might even deserve a lower severity. thanks, guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
