On Wed, 9 Dec 2009 12:53:30 +0100 Guillem Jover wrote: > fixed 559799 2.4.1-1 > severity 559799 important > thanks > > On Sun, 2009-12-06 at 23:50:40 -0500, Michael Gilbert wrote: > > Package: bochs > > Severity: grave > > Tags: security > > > The following CVE (Common Vulnerabilities & Exposures) id was > > published for libtool. I have determined that this package embeds a > > vulnerable copy of the libtool source code. However, since this is a > > mass bug filing (due to so many packages embedding libtool), I have not > > had time to determine whether the vulnerable code is actually present > > in any of the binary packages. Please determine whether this is the > > case. If the package is not affected, please feel free to close the bug > > with a message containing the details of what you did to check. > > > > CVE-2009-3736[0]: > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > > | attempts to open a .la file in the current working directory, which > > | allows local users to gain privileges via a Trojan horse file. > > > > Note that this problem also affects etch and lenny, so if your package > > is affected, please coordinate with the security team to release the > > DSA for the affected packages. > > As explained on debian-devel the conditions needed to trigger either > of the problems are several. In this case, bochs version 2.4.1-1 and > later are not vulnerable as I patched it some time ago to load the > ‘.so’ files directly instead of using the ‘.la’ files, so testing and > unstable are fine. > > Then stable is not vulnerable to the ‘.a’ problem as the ‘.la’ files > for bochs plugins have an empty old_library field. It's supposedly > vulnerable to the ‘.la’ problem, but all plugins are shipped in the > bochs package except for the UI ones, which are shipped in a different > packages but depended by bochs, so the user will have at least one UI > plugin. And they are the ones responsible for configuring which one to > load from the configuration file, so the case where the user tries to > run continuosly bochs in random directories w/ a non-existing plugin > seems pretty contrived to me. That's why I've lowered the severity, > it might still be good to update bochs in stable and olstable, but it > does not seem a really huge problem to me, and it might even deserve > a lower severity.
thank you very much for the in-depth analysis. i will mark etch/lenny not affected for now; howevever, for future hardening, the package should be using the system libtool instead of its own copy. i am opening a new bug for that. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org