Bug#559797: marked as done (CVE-2009-3736 local privilege escalation)
Your message dated Sun, 03 Jan 2010 02:14:55 + with message-id and subject line Bug#559797: fixed in libtool 1.5.26-4+lenny1 has caused the Debian Bug report #559797, regarding CVE-2009-3736 local privilege escalation to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libtool Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities & Exposures) id was published for libtool. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so please coordinate with the security team to release a DSA. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 --- End Message --- --- Begin Message --- Source: libtool Source-Version: 1.5.26-4+lenny1 We believe that the bug you reported is fixed in the latest version of libtool, which is due to be installed in the Debian FTP archive: libltdl3-dev_1.5.26-4+lenny1_i386.deb to main/libt/libtool/libltdl3-dev_1.5.26-4+lenny1_i386.deb libltdl3_1.5.26-4+lenny1_i386.deb to main/libt/libtool/libltdl3_1.5.26-4+lenny1_i386.deb libtool-doc_1.5.26-4+lenny1_all.deb to main/libt/libtool/libtool-doc_1.5.26-4+lenny1_all.deb libtool_1.5.26-4+lenny1.diff.gz to main/libt/libtool/libtool_1.5.26-4+lenny1.diff.gz libtool_1.5.26-4+lenny1.dsc to main/libt/libtool/libtool_1.5.26-4+lenny1.dsc libtool_1.5.26-4+lenny1_i386.deb to main/libt/libtool/libtool_1.5.26-4+lenny1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 559...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert (supplier of updated libtool package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 12 Dec 2009 14:33:54 -0500 Source: libtool Binary: libtool libtool-doc libltdl3 libltdl3-dev Architecture: source all i386 Version: 1.5.26-4+lenny1 Distribution: stable-security Urgency: high Maintainer: Kurt Roeckx Changed-By: Michael Gilbert Description: libltdl3 - A system independent dlopen wrapper for GNU libtool libltdl3-dev - A system independent dlopen wrapper for GNU libtool libtool- Generic library support script libtool-doc - Generic library support script Closes: 559797 Changes: libtool (1.5.26-4+lenny1) stable-security; urgency=high . * Non-maintainer upload by the security team. * Fixes local privilege escalation vulnerability: CVE-2009-3736 (closes: #559797). Checksums-Sha1: b7b5d26aa00e0ea318661d49a4dad5a3472df777 1158 libtool_1.5.26-4+lenny1.dsc 4c1738351736562a951a345e24f233d00953ec0a 2961939 libtool_1.5.26.orig.tar.gz 471e01aa324b1453ab4dd2390885bd530d246737 15298 libtool_1.5.26-4+lenny1.diff.gz 4ca72941d147f83d809e9fd0f2a075607ed280a5 353398 libtool-doc_1.5.26-4+lenny1_all.deb 614be810b51c9b7b9ce8fc8da2f0c76eeb20e009 340266 libtool_1.5.26-4+lenny1_i386.deb 2e642523da0b3b9dcaca7c2e62bd6699cd880a58 177256 libltdl3_1.5.26-4+lenny1_i386.deb 4a8c646d907a0410852af0889ac4e994302f6bd0 371688 libltdl3-dev_1.5.26-4+lenny1_i386.deb Checksums-Sha256: f3e19afe7fd8e286c3b49c308d8f1c0a494d24a4bccf3feaf7409be5d886dced 1158 libtool_1.5.26-4+lenny1.dsc 1c35ae34fe85aa167bd7ab4bc9f477fe019138e1af62678d952fc43c0b7e2f09 2961939 libtool_1.5.26.orig.tar.gz ecdfb355111d0d1a38fa33c1dd27dc526703dc208637a78264be4ab245822ebe 15298 libtool_1.5.26-4+lenny1.diff.gz 08e793094ee604207129e8c0856a344865f2ef09dc2d293a00150769cb5f608d 353398 libtool-doc_1.5.26-4+lenny1_all.deb 0c0377e706adaf0156cbc4e11d71c446a730dada8d66ad640d01b55eef40a6ae 340266 libtool_1.5.26-4+lenny1_i386.deb 276bc8fceabc4b937e8a1fe0947ad953f47eeab09da979f20f9e5b4ce97622ab 177256 libltdl3_1.5.26-4+lenny1_i386.deb b5790528903440a3b1d7eff1a89ee18703edd3b54ae5cdaa8e8323306d3d4314 371688 libltdl3-dev_1.5.26-4+l
Bug#559797: marked as done (CVE-2009-3736 local privilege escalation)
Your message dated Sun, 03 Jan 2010 02:13:11 + with message-id and subject line Bug#559797: fixed in libtool 1.5.22-4+etch1 has caused the Debian Bug report #559797, regarding CVE-2009-3736 local privilege escalation to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libtool Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities & Exposures) id was published for libtool. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so please coordinate with the security team to release a DSA. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 --- End Message --- --- Begin Message --- Source: libtool Source-Version: 1.5.22-4+etch1 We believe that the bug you reported is fixed in the latest version of libtool, which is due to be installed in the Debian FTP archive: libltdl3-dev_1.5.22-4+etch1_i386.deb to main/libt/libtool/libltdl3-dev_1.5.22-4+etch1_i386.deb libltdl3_1.5.22-4+etch1_i386.deb to main/libt/libtool/libltdl3_1.5.22-4+etch1_i386.deb libtool-doc_1.5.22-4+etch1_all.deb to main/libt/libtool/libtool-doc_1.5.22-4+etch1_all.deb libtool_1.5.22-4+etch1.diff.gz to main/libt/libtool/libtool_1.5.22-4+etch1.diff.gz libtool_1.5.22-4+etch1.dsc to main/libt/libtool/libtool_1.5.22-4+etch1.dsc libtool_1.5.22-4+etch1_i386.deb to main/libt/libtool/libtool_1.5.22-4+etch1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 559...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Gilbert (supplier of updated libtool package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.7 Date: Sat, 12 Dec 2009 15:51:35 -0500 Source: libtool Binary: libtool-doc libltdl3 libtool libltdl3-dev Architecture: source i386 all Version: 1.5.22-4+etch1 Distribution: oldstable-security Urgency: high Maintainer: Kurt Roeckx Changed-By: Michael Gilbert Description: libltdl3 - A system independent dlopen wrapper for GNU libtool libltdl3-dev - A system independent dlopen wrapper for GNU libtool libtool- Generic library support script libtool-doc - Generic library support script Closes: 559797 Changes: libtool (1.5.22-4+etch1) oldstable-security; urgency=high . * Non-maintainer upload by the security team. * Fixes local privilege escalation vulnerability: CVE-2009-3736 (closes: #559797). Files: 928acd111c5fef379758412cc69d6955 791 devel optional libtool_1.5.22-4+etch1.dsc 8e0ac9797b62ba4dcc8a2fb7936412b0 2921483 devel optional libtool_1.5.22.orig.tar.gz 5479bf2874720d1a57bc051938939c0a 15804 devel optional libtool_1.5.22-4+etch1.diff.gz 48ef3b50f8af4b55f95ab0537dedeae9 340218 doc optional libtool-doc_1.5.22-4+etch1_all.deb 2f3cf778e937d324b2082286ac531915 327562 devel optional libtool_1.5.22-4+etch1_i386.deb 5f0f5afefa54c57ff00a1688b79daaae 168334 libs optional libltdl3_1.5.22-4+etch1_i386.deb ff14fcaece7267e5af27ebf077caf5ea 361676 libdevel optional libltdl3-dev_1.5.22-4+etch1_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkspwjcACgkQYy49rUbZzlpEjwCglW1ihi+49k38TBlB0vadCgqU KkAAn2QY7AnDT26r29KkeM34im6Uhy5u =IjAv -END PGP SIGNATURE- --- End Message ---
Bug#559797: marked as done (CVE-2009-3736 local privilege escalation)
Your message dated Wed, 09 Dec 2009 19:32:59 +
with message-id
and subject line Bug#559797: fixed in libtool 2.2.6b-1
has caused the Debian Bug report #559797,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libtool
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so please
coordinate with the security team to release a DSA.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libtool
Source-Version: 2.2.6b-1
We believe that the bug you reported is fixed in the latest version of
libtool, which is due to be installed in the Debian FTP archive:
libltdl-dev_2.2.6b-1_amd64.deb
to main/libt/libtool/libltdl-dev_2.2.6b-1_amd64.deb
libltdl7_2.2.6b-1_amd64.deb
to main/libt/libtool/libltdl7_2.2.6b-1_amd64.deb
libtool-doc_2.2.6b-1_all.deb
to main/libt/libtool/libtool-doc_2.2.6b-1_all.deb
libtool_2.2.6b-1.diff.gz
to main/libt/libtool/libtool_2.2.6b-1.diff.gz
libtool_2.2.6b-1.dsc
to main/libt/libtool/libtool_2.2.6b-1.dsc
libtool_2.2.6b-1_amd64.deb
to main/libt/libtool/libtool_2.2.6b-1_amd64.deb
libtool_2.2.6b.orig.tar.gz
to main/libt/libtool/libtool_2.2.6b.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx (supplier of updated libtool package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 09 Dec 2009 20:05:39 +0100
Source: libtool
Binary: libtool libtool-doc libltdl7 libltdl-dev
Architecture: source all amd64
Version: 2.2.6b-1
Distribution: unstable
Urgency: low
Maintainer: Kurt Roeckx
Changed-By: Kurt Roeckx
Description:
libltdl-dev - A system independent dlopen wrapper for GNU libtool
libltdl7 - A system independent dlopen wrapper for GNU libtool
libtool- Generic library support script
libtool-doc - Generic library support script
Closes: 542190 545687 554821 559797
Changes:
libtool (2.2.6b-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2009-3736 (Closes: #559797)
* Skip demo-deplibs.test. This is basicly the same as
deplibs_test_disable.patch from the 1.5.26 version.
* Skip the link-order2.at test. It has the same problem
as the deplibs test.
* Since deplibs-ident.at now passes, just let it return that
the result is ok.
* Skip localization test when setlocale is not functional.
* Renable test suite.
* Remove the "Apps/" part of the doc-base entry.
* Change debhelper compatibilty to 7.
* Replace dh_clean -k with dh_prep
* Change build dependency of automake to 1.10.1 (Closes: #542190)
* Add support for GNU/kOpenSolaris (Closes: #545687)
* Update Standards-Version from 3.8.1 to 3.8.3: No changes required.
* Add ${misc:Depends} to libtool-doc's Depends so we have proper
depedencies for it.
* Build-Conflict against gcj for now, to avoid a regression test
failure. See #555801.
* Symbol versioning works with the GNU gold linker now. (Closes: #554821)
Checksums-Sha1:
7767c884ed0e48510edc3ae9835578d103c2da4a 1822 libtool_2.2.6b-1.dsc
5afa73c8ef9ebe64bbb438a0f8779c9036e43c55 2347317 libtool_2.2.6b.orig.tar.gz
fdb0290dd0af79eb83051f1ff3bd95ac61d35c64 18551 libtool_2.2.6b-1.diff.gz
90e45528b7486a22c2da692d03c5c5dc753282b2 510230 libtool-doc_2.2.6b-1_all.deb
4410fb415498df22f22cef4543c8fada828e0d21 523896 libtool_2.2.6b-1_amd64.deb
78c6aa6c4546b9f7e406a0c1bf03c38a3408c04f 296084 libltdl7_2.2.6b-1_amd64.deb
aec2b
