Your message dated Fri, 19 Feb 2010 22:02:24 +0100
with message-id <[email protected]>
has caused the report #559827,
regarding CVE-2009-3736 local privilege escalation
to be marked as having been forwarded to the upstream software
author(s) Thomas Ries <[email protected]>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559827: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559827
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Thomas,
As you are aware siproxd contains an convenience copy of libltdl and there is
no method in the configure script to use a system provided libltdl.
While I can understand that providing this library directly with your code
helps your users build the package, this does also introduce a security
vulnerability as a bug in the library then needs to be fixed in each and every
application which includes a convenience copy.
This has indeed occurred (see attached) with a local privilege escalation issue
(CVE) being identified in the convenience copy of libltdl you ship with siproxd.
Whilst Debian has already fixed this CVE for the system provided libltdl, we
now need to go through every single application that provides a convenience
copy.
So you should be aware that siproxd as shipped in your upstream distribution is
vunerable to CVE-2009-3736.
Could I ask you to modify your configure script to check first for a system
provided libltdl and use that in preference to any convenience copy.
I would recommend that you don't ship a convenience copy, for these reasons
and, make libltdl a build time system dependency, as you have done with
libosip2.
If you do wish to continue to ship libltdl, then you should ensure it is
uptodate and at least fixes the CVE identified in this report.
Could I ask you to maintain the (Cc:) in any replies so we can track this issue
correctly in our Bug Tracking System (BTS). You may also wish to subscribe to
our email based Package Tracking System (PTS) for siproxd, had you been
subscribed you would of received the attached email directly rather than second
hand through me: http://packages.qa.debian.org/s/siproxd.html
I will attempt to modify your configure script to address this issue in Debian,
however this bug report effects all your distributed source packages.
Thanks,
Mark
---------- Forwarded Message ----------
Subject: Bug#559827: CVE-2009-3736 local privilege escalation
Date: Monday 07 December 2009
From: Michael Gilbert <[email protected]>
To: [email protected]
Package: siproxd
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
-------------------------------------------------------
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
