Hi, A couple of weeks ago I released a new libtool, and added it to fink. I also patched our libtool14 package. This was due to a potential vulnerability in libltdl that may allow arbitrary code execution.
We also updated a number of packages to work around the problem, however, it is quite likely that I missed some. If you maintain, or know of, a package that uses and embeds its own copy of libltdl, and the package is built with static libraries, it is possible that it is vulnerable. In this case, please do one of the following things: 1) --disable-static 2) Patch the embedded libltdl: http://git.savannah.gnu.org/cgit/libtool.git/commit/?id=3580cddcea7eec5c07cf69e8adbe14ccf94dccc1 (you don't need the test cases) http://git.savannah.gnu.org/cgit/libtool.git/commit/?id=e91f7b960032074a55fc91273c1917e3082b5338 Or for older 1.5: http://git.savannah.gnu.org/cgit/libtool.git/commit/?h=branch-1-5&id=29b48580df75f0c5baa2962548a4c101ec7ed7ec 3) If the package works without the presence of its .la files, you could remove them. 4) Patch the package so that it uses the shared libltdl from libtool2-shlibs or libtool14-shlibs. Brief explanation of problem: Packages using libltdl, with .la files that have an old_library field which is not empty (.e.g. old_library='something.a') will call dlopen($old_library), so if an attacker can put a shared library named something.a in the current working directory, or any of the usual places that dlopen() looks when not given an absolute path, that library will be loaded, its initialization functions run etc. Links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3736 https://bugzilla.redhat.com/show_bug.cgi?id=537941 http://www.mandriva.com/en/security/advisories?name=MDVSA-2009:307 Peter -- Peter O'Gorman http://pogma.com ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel
