Your message dated Wed, 09 Dec 2009 19:32:59 +0000
with message-id <e1nisht-00085l...@ries.debian.org>
and subject line Bug#559797: fixed in libtool 2.2.6b-1
has caused the Debian Bug report #559797,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libtool
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so please
coordinate with the security team to release a DSA.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libtool
Source-Version: 2.2.6b-1
We believe that the bug you reported is fixed in the latest version of
libtool, which is due to be installed in the Debian FTP archive:
libltdl-dev_2.2.6b-1_amd64.deb
to main/libt/libtool/libltdl-dev_2.2.6b-1_amd64.deb
libltdl7_2.2.6b-1_amd64.deb
to main/libt/libtool/libltdl7_2.2.6b-1_amd64.deb
libtool-doc_2.2.6b-1_all.deb
to main/libt/libtool/libtool-doc_2.2.6b-1_all.deb
libtool_2.2.6b-1.diff.gz
to main/libt/libtool/libtool_2.2.6b-1.diff.gz
libtool_2.2.6b-1.dsc
to main/libt/libtool/libtool_2.2.6b-1.dsc
libtool_2.2.6b-1_amd64.deb
to main/libt/libtool/libtool_2.2.6b-1_amd64.deb
libtool_2.2.6b.orig.tar.gz
to main/libt/libtool/libtool_2.2.6b.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated libtool package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 09 Dec 2009 20:05:39 +0100
Source: libtool
Binary: libtool libtool-doc libltdl7 libltdl-dev
Architecture: source all amd64
Version: 2.2.6b-1
Distribution: unstable
Urgency: low
Maintainer: Kurt Roeckx <k...@roeckx.be>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description:
libltdl-dev - A system independent dlopen wrapper for GNU libtool
libltdl7 - A system independent dlopen wrapper for GNU libtool
libtool - Generic library support script
libtool-doc - Generic library support script
Closes: 542190 545687 554821 559797
Changes:
libtool (2.2.6b-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2009-3736 (Closes: #559797)
* Skip demo-deplibs.test. This is basicly the same as
deplibs_test_disable.patch from the 1.5.26 version.
* Skip the link-order2.at test. It has the same problem
as the deplibs test.
* Since deplibs-ident.at now passes, just let it return that
the result is ok.
* Skip localization test when setlocale is not functional.
* Renable test suite.
* Remove the "Apps/" part of the doc-base entry.
* Change debhelper compatibilty to 7.
* Replace dh_clean -k with dh_prep
* Change build dependency of automake to 1.10.1 (Closes: #542190)
* Add support for GNU/kOpenSolaris (Closes: #545687)
* Update Standards-Version from 3.8.1 to 3.8.3: No changes required.
* Add ${misc:Depends} to libtool-doc's Depends so we have proper
depedencies for it.
* Build-Conflict against gcj for now, to avoid a regression test
failure. See #555801.
* Symbol versioning works with the GNU gold linker now. (Closes: #554821)
Checksums-Sha1:
7767c884ed0e48510edc3ae9835578d103c2da4a 1822 libtool_2.2.6b-1.dsc
5afa73c8ef9ebe64bbb438a0f8779c9036e43c55 2347317 libtool_2.2.6b.orig.tar.gz
fdb0290dd0af79eb83051f1ff3bd95ac61d35c64 18551 libtool_2.2.6b-1.diff.gz
90e45528b7486a22c2da692d03c5c5dc753282b2 510230 libtool-doc_2.2.6b-1_all.deb
4410fb415498df22f22cef4543c8fada828e0d21 523896 libtool_2.2.6b-1_amd64.deb
78c6aa6c4546b9f7e406a0c1bf03c38a3408c04f 296084 libltdl7_2.2.6b-1_amd64.deb
aec2ba0436214a1a2936a2d2c570496b8bfe3398 197334 libltdl-dev_2.2.6b-1_amd64.deb
Checksums-Sha256:
f374285fab78cdae16b0d41f154024374a349b9037e137ca131a628695862969 1822
libtool_2.2.6b-1.dsc
efe133e1014bca96998536f2e565a14fe0fde20cc83ff67135451e4e4e64ad57 2347317
libtool_2.2.6b.orig.tar.gz
b3d1ff696c2b667ed4e002b7977a20c6faf5e1c47eab5698e4b67ffa162e1a61 18551
libtool_2.2.6b-1.diff.gz
791b4391fbf101203aad2cfbede4a954168d2d8c80533e2052332b8b3a069378 510230
libtool-doc_2.2.6b-1_all.deb
b279e51c8ed050493e3f273089c60de31066d78974887f0ca2967306b3929b76 523896
libtool_2.2.6b-1_amd64.deb
f58647ff2db64935a965d9edf30ea652d218cf98b58899ee4da701822c2f064b 296084
libltdl7_2.2.6b-1_amd64.deb
af876e5949f4792bbb8b85365f176b01422cd3edecf9396ea80e6b95ec499716 197334
libltdl-dev_2.2.6b-1_amd64.deb
Files:
1a477b2692c5ba280479c33d1b464cf1 1822 devel optional libtool_2.2.6b-1.dsc
07da460450490148c6d2df0f21481a25 2347317 devel optional
libtool_2.2.6b.orig.tar.gz
c0d74de3387b71c390eca599e0bdf1c9 18551 devel optional libtool_2.2.6b-1.diff.gz
c400204209407a7468f5cf98d3e635a3 510230 doc optional
libtool-doc_2.2.6b-1_all.deb
f574302417b84eb4e95731c0cb1d3be4 523896 devel optional
libtool_2.2.6b-1_amd64.deb
2e804565113d3ffaf619995f2c2687a0 296084 libs optional
libltdl7_2.2.6b-1_amd64.deb
7cf3b4bc73def0cc1f940568945e4bfe 197334 libdevel optional
libltdl-dev_2.2.6b-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCgAGBQJLH/oXAAoJEGpMZM6DE7XwOVAP/A8KzQj+p37rHMWizR6RAKh+
LOfnbGcRrfY0LCYD2hlUbQhGoKvtVEFg4kIPH2hIbl6O9qPIcwzKSPBeCiJQ4flz
1uuoSnU25qPRixJ0wfAGgt5V0jlza32L8NAnvvgxCfA0oMlxmK8MOrWKvHzpCpm1
9oO2xP1uLiOVAl4VGdzpoVsNvdwEekMhnAJtLeOC07E5RoVYLmqdzWm8pvcHMjg5
p7MW+7MuqkADrg1UeSIXU8nF0KL8KXRdMC8dJ5red9BR1q0yB6Ly8IUeHWyPrHbT
JYxHctGpe8CgOyPVgDnSMNUoLycV9edtnHB8Yiwhht8VWl05Ghsy0IzK8cm92fn/
Of+HM3kGaNJsO3f7SOqIN7DKpPNrDzMsrsEvPI86KIsivyXw/1+L0zdLVFMwKs7N
i5IBZIyXjaPzzmyo9cWoUocJ8haRf6Nslq8O7E/zBNoDuNFsvOaW/EJ4sIl0kPxc
9NxgJUxcfOD2eO0ymFWVa+5/BC+sFMsEumsndJnnLqWfFIDorSAE5yyFqevc8FnJ
X9akk31SEqc3R21mNhp8mPi41WAJMOUfIUDmMv5pHJ6bJ63kvTKZw8MqQ59u4zfR
fMDAOn4CPNBFIu88LNx4EwaMUdkMY4bf1VmcFP3eKTx7iTey4qhJ4M4SUjoK1/LJ
XxA64egoZEI+bHPFaSD9
=wbry
-----END PGP SIGNATURE-----
--- End Message ---
