Dear security team-
I'm the DM maintainer for the package 'hamlib' (I am also currently working
through the of becoming a DD). Regarding this bug (a mass-filed CVE against
libtool):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559814
CVE-2009-3736 local privilege escalation
I fixed this problem for hamlib in unstable (and upstream) some time ago.
I have now constructed a fix package for hamlib in stable, for which I ask
permission to upload to stable-security. The fix package has been
reviewed by Gunnar Wolf, who has kindly agreed to upload it pending
approval.
The affected package in stable (lenny) is
hamlib (1.2.7.1-1)
My fix package bears the following changelog entry, which explains the
changes. Note also that I updated the Maintainer/Uploaders/DM-Upload-Allowed
fields to reflect the current maintainer status for this package.
hamlib (1.2.7.1-1+lenny1) stable-security; urgency=high
* Fix CVE-2009-3736 local privilege escalation (Closes: #559814):
- Use system libltdl not old internal copy
- Build-depend on libltdl3-dev
- configure, Makefile.am: skip internal libltdl build
* New maintainer: Kamal Mostafa <kamal@whence.com> (Closes: #556098).
I have built and tested this fix on a fresh lenny system.
For your review, here is the debdiff (minus the re-generated files configure
and Makefile.in):
http://www.whence.com/debian/proposed/hamlib+lenny1/hamlib+lenny1.patch
My fix packages are available here:
http://www.whence.com/debian/proposed/hamlib+lenny1
Thanks,
-Kamal
Attachment:
signature.asc
Description: This is a digitally signed message part