Re: Bug#559802: CVE-2009-3736 local privilege escalation
Hi
> > > The following CVE (Common Vulnerabilities & Exposures) id was
> > > published for libtool. I have determined that this package embeds a
> > > vulnerable copy of the libtool source code. However, since this is a
> > > mass bug filing (due to so many packages embedding libtool), I have not
> > > had time to determine whether the vulnerable code is actually present
> > > in any of the binary packages. Please determine whether this is the
> > > case. If the package is not affected, please feel free to close the bug
> > > with a message containing the details of what you did to check.
> > >
> > > CVE-2009-3736[0]:
> > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> > > | attempts to open a .la file in the current working directory, which
> > > | allows local users to gain privileges via a Trojan horse file.
> > >
> > > Note that this problem also affects etch and lenny, so if your package
> > > is affected, please coordinate with the security team to release the
> > > DSA for the affected packages.
Is this different to all these python modules that include the working
directory? When I had a quick look it smelled like these once, in which case
none of the packages probably deserves a DSA and they can all be fixed through
s-p-u/o-s-p-u (and can be urgency 'slow'), but I thought I'd ask first in case
I misunderstood the issue.
Cheers
Steffen
Reply to: