Re: Bug#559802: CVE-2009-3736 local privilege escalation

To: debian-devel@lists.debian.org
Subject: Re: Bug#559802: CVE-2009-3736 local privilege escalation
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 8 Dec 2009 10:23:41 -0500
Message-id: <[🔎] 20091208102341.765163a6.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 200912071713.06444.steffen.joeris@skolelinux.de>
References: <20091206235249.9e20c447.michael.s.gilbert@gmail.com> <[🔎] 4B1CB517.5010504@linuxia.de> <[🔎] 20091207110135.73dd3a7f.michael.s.gilbert@gmail.com> <[🔎] 200912071713.06444.steffen.joeris@skolelinux.de>

On Tue, 8 Dec 2009 03:13:06 +1100, Steffen Joeris wrote:
> > > > The following CVE (Common Vulnerabilities & Exposures) id was
> > > > published for libtool.  I have determined that this package embeds a
> > > > vulnerable copy of the libtool source code.  However, since this is a
> > > > mass bug filing (due to so many packages embedding libtool), I have not
> > > > had time to determine whether the vulnerable code is actually present
> > > > in any of the binary packages. Please determine whether this is the
> > > > case. If the package is not affected, please feel free to close the bug
> > > > with a message containing the details of what you did to check.
> > > >
> > > > CVE-2009-3736[0]:
> > > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> > > > | attempts to open a .la file in the current working directory, which
> > > > | allows local users to gain privileges via a Trojan horse file.
> > > >
> > > > Note that this problem also affects etch and lenny, so if your package
> > > > is affected, please coordinate with the security team to release the
> > > > DSA for the affected packages.
>
> Is this different to all these python modules that include the working 
> directory? When I had a quick look it smelled like these once, in which case 
> none of the packages probably deserves a DSA and they can all be fixed through 
> s-p-u/o-s-p-u (and can be urgency 'slow'), but I thought I'd ask first in case 
> I misunderstood the issue.

So, as i interpret the issue, the difference here is that libtool will
load any and all .la and .a file available on the LD_LOAD_LIBRARY path;
whereas python will load modules in the current directory only if they
are specifically called from the script. 

I have just recently realized that LD_LOAD_LIBRARY has a relatively
safe default that does not include the current working directory.
Given this fact, I believe that the impact is rather limited (only
users that have modified that LD_LOAD_LIBRARY path are affected; and
i'm sure there are those who have done this, but it is a minor subset
of all debian users).

Hence, I think that for any package embedding libtool, updates should
be pushed in stable-proposed-updates, rather than DSAs.  As for libtool
itself, it may still make sense to issue a DSA.

If there is concurrence on this assessment, I will send a message along
these lines to all of the bugs that I submitted.

Mike

Reply to:

Follow-Ups:
- Re: Bug#559802: CVE-2009-3736 local privilege escalation
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>
- Re: Bug#559802: CVE-2009-3736 local privilege escalation
  - From: Guillem Jover <guillem@debian.org>

References:
- Re: Bug#559802: CVE-2009-3736 local privilege escalation
  - From: "Stefan Hornburg (Racke)" <racke@linuxia.de>
- Re: Bug#559802: CVE-2009-3736 local privilege escalation
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: Bug#559802: CVE-2009-3736 local privilege escalation
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Re: New Menu category Applictions/Multimedia
Next by Date: Bug#560043: ITP: libnfo -- an NFO file parser/writer library
Previous by thread: Re: Bug#559802: CVE-2009-3736 local privilege escalation
Next by thread: Re: Bug#559802: CVE-2009-3736 local privilege escalation
Index(es):
- Date
- Thread