-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2009-3736 says: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 The redland 1.0.9 release from April 2009 was built with an affected libtool 2.2.6 and uses it to load storage modules dynamically from /usr/lib/redland. MD5 e5ef0c29c55b4f0f5aeed7955b4d383b redland-1.0.9.tar.gz It's hard for me to tell how important this is since I've not been able to verify it on Linux[1], for one thing. It might be more of a concern on other OSes that do dynamic loading of modules a different way. If you are worried about this, I've attached the patch to 1.0.9 that changes ltdl.c the way the CVE expects. It's untested since I can't verify there is a problem. Redland's next release won't have this problem since it'll be built with the libtool 2.2.6b Dave [1] https://bugzilla.redhat.com/show_bug.cgi?id=537941#c7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iD8DBQFLJbTjQ+ySUE9xlVoRAqW0AJ9bq3xA9eCd2498R2QbcQOHtf0qLQCfUdFA Vigo6s57LQuSrm/okCTBlck= =wL5a -----END PGP SIGNATURE-----
# Redland 1.0.9 patch to deal with CVE-2009-3736 # # CVE-2009-3736 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 # # This patch adjusts the embedded libtool 2.2.6a ltdl.c in the redland 1.0.9 # release tarball to be the one from libtool 2.2.6b without the above local # privilege escalation. # diff -urN redland-1.0.9.orig/libltdl/ltdl.c redland-1.0.9/libltdl/ltdl.c --- redland-1.0.9.orig/libltdl/ltdl.c 2009-04-12 18:04:14.000000000 -0700 +++ redland-1.0.9/libltdl/ltdl.c 2009-11-16 05:11:59.000000000 -0800 @@ -529,7 +529,8 @@ /* Try to open the old library first; if it was dlpreopened, we want the preopened version of it, even if a dlopenable module is available. */ - if (old_name && tryall_dlopen (handle, old_name, advise, 0) == 0) + if (old_name && tryall_dlopen (handle, old_name, + advise, lt_dlloader_find ("lt_preopen") ) == 0) { return 0; } @@ -1345,7 +1346,7 @@ } #endif } - if (!file) + else { file = fopen (attempt, LT_READTEXT_MODE); } @@ -1614,9 +1615,6 @@ { lt_dlhandle handle = 0; int errors = 0; - const char * saved_error = 0; - - LT__GETERROR (saved_error); /* Can't have symbols hidden and visible at the same time! */ if (advise && advise->is_symlocal && advise->is_symglobal) @@ -1653,7 +1651,6 @@ #if defined(LT_MODULE_EXT) /* Try appending SHLIB_EXT. */ - LT__SETERRORSTR (saved_error); errors = try_dlopen (&handle, filename, shlib_ext, advise); /* As before, if the file was found but loading failed, return now
_______________________________________________ redland-dev mailing list [email protected] http://lists.librdf.org/mailman/listinfo/redland-dev
