Your message dated Sun, 03 Jan 2010 02:13:11 +0000
with message-id <e1nrfxv-0003pn...@ries.debian.org>
and subject line Bug#559797: fixed in libtool 1.5.22-4+etch1
has caused the Debian Bug report #559797,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libtool
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so please
coordinate with the security team to release a DSA.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libtool
Source-Version: 1.5.22-4+etch1
We believe that the bug you reported is fixed in the latest version of
libtool, which is due to be installed in the Debian FTP archive:
libltdl3-dev_1.5.22-4+etch1_i386.deb
to main/libt/libtool/libltdl3-dev_1.5.22-4+etch1_i386.deb
libltdl3_1.5.22-4+etch1_i386.deb
to main/libt/libtool/libltdl3_1.5.22-4+etch1_i386.deb
libtool-doc_1.5.22-4+etch1_all.deb
to main/libt/libtool/libtool-doc_1.5.22-4+etch1_all.deb
libtool_1.5.22-4+etch1.diff.gz
to main/libt/libtool/libtool_1.5.22-4+etch1.diff.gz
libtool_1.5.22-4+etch1.dsc
to main/libt/libtool/libtool_1.5.22-4+etch1.dsc
libtool_1.5.22-4+etch1_i386.deb
to main/libt/libtool/libtool_1.5.22-4+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <michael.s.gilb...@gmail.com> (supplier of updated libtool
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 12 Dec 2009 15:51:35 -0500
Source: libtool
Binary: libtool-doc libltdl3 libtool libltdl3-dev
Architecture: source i386 all
Version: 1.5.22-4+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Kurt Roeckx <k...@roeckx.be>
Changed-By: Michael Gilbert <michael.s.gilb...@gmail.com>
Description:
libltdl3 - A system independent dlopen wrapper for GNU libtool
libltdl3-dev - A system independent dlopen wrapper for GNU libtool
libtool - Generic library support script
libtool-doc - Generic library support script
Closes: 559797
Changes:
libtool (1.5.22-4+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fixes local privilege escalation vulnerability: CVE-2009-3736
(closes: #559797).
Files:
928acd111c5fef379758412cc69d6955 791 devel optional libtool_1.5.22-4+etch1.dsc
8e0ac9797b62ba4dcc8a2fb7936412b0 2921483 devel optional
libtool_1.5.22.orig.tar.gz
5479bf2874720d1a57bc051938939c0a 15804 devel optional
libtool_1.5.22-4+etch1.diff.gz
48ef3b50f8af4b55f95ab0537dedeae9 340218 doc optional
libtool-doc_1.5.22-4+etch1_all.deb
2f3cf778e937d324b2082286ac531915 327562 devel optional
libtool_1.5.22-4+etch1_i386.deb
5f0f5afefa54c57ff00a1688b79daaae 168334 libs optional
libltdl3_1.5.22-4+etch1_i386.deb
ff14fcaece7267e5af27ebf077caf5ea 361676 libdevel optional
libltdl3-dev_1.5.22-4+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkspwjcACgkQYy49rUbZzlpEjwCglW1ihi+49k38TBlB0vadCgqU
KkAAn2QY7AnDT26r29KkeM34im6Uhy5u
=IjAv
-----END PGP SIGNATURE-----
--- End Message ---
