Bug#559808: CVE-2009-3736 local privilege escalation

Mon, 25 Jan 2010 02:24:57 -0800 

tags 559808 + help
thanks

On Wed, Dec 30, 2009 at 01:29:50PM +0100, Moritz Muehlenhoff wrote:
> Gnash already has a Build-Depennds on the shared copy, but it appears
> as if only the hppa build links against the system copy. I suppose
> this needs to be configured explicitely by passing "--without-included-ltdl"
> to the configure call.

I've been rebuilding gnash passing explicitly --without-included-ltdl
(patch attached), but that does not seem to be enough to have the main
gnash package linked against system-wide ltdl.  ldd confirms that the
gtk-gnash executable is not linked against ltdl, whereas the other
binary packages of gnash does link against the system-wide library (that
was the case also without the patch).

At first sight configure.ac seems to be doing the right thing in _not_
forcing the convenience library (it does that only if older versions of
libltdl are found in the sources, which is no longer the case).

Bottom line: some more investigation is needed
Maintainer: any comment?

Cheers.

-- 
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime

diff -u gnash-0.8.6/debian/changelog gnash-0.8.6/debian/changelog
--- gnash-0.8.6/debian/changelog
+++ gnash-0.8.6/debian/changelog
@@ -1,3 +1,11 @@
+gnash (0.8.6-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Force building against system version of libltdl. Fix CVE-2009-3736
+    (on all archs). (Closes: #559808)
+
+ -- Stefano Zacchiroli <[email protected]>  Sun, 24 Jan 2010 15:56:05 +0100
+
 gnash (0.8.6-2) unstable; urgency=low
 
   [ Miriam Ruiz ]
diff -u gnash-0.8.6/debian/rules gnash-0.8.6/debian/rules
--- gnash-0.8.6/debian/rules
+++ gnash-0.8.6/debian/rules
@@ -63,6 +63,7 @@
                --with-npapi-plugindir=\$${prefix}/lib/gnash \
                --with-kde-pluginprefix=\$${prefix} \
                --with-plugins-install=system \
+               --without-included-ltdl \
                --enable-shared=yes \
                --enable-sdk-install \
                --enable-lotsa-warnings \

Reply via email to