[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#559829: marked as done (CVE-2009-3736 local privilege escalation)

Your message dated Sun, 24 Jan 2010 00:38:04 +0000
with message-id <E1NYqUO-0003dS-W2@ries.debian.org>
and subject line Bug#559829: fixed in synfig 0.62.00-1
has caused the Debian Bug report #559829,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
559829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559829
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: synfig
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

--- End Message ---
--- Begin Message --- 
Source: synfig
Source-Version: 0.62.00-1

We believe that the bug you reported is fixed in the latest version of
synfig, which is due to be installed in the Debian FTP archive:

libsynfig-dev_0.62.00-1_amd64.deb
  to main/s/synfig/libsynfig-dev_0.62.00-1_amd64.deb
libsynfig0_0.62.00-1_amd64.deb
  to main/s/synfig/libsynfig0_0.62.00-1_amd64.deb
synfig-dbg_0.62.00-1_amd64.deb
  to main/s/synfig/synfig-dbg_0.62.00-1_amd64.deb
synfig-examples_0.62.00-1_all.deb
  to main/s/synfig/synfig-examples_0.62.00-1_all.deb
synfig_0.62.00-1.diff.gz
  to main/s/synfig/synfig_0.62.00-1.diff.gz
synfig_0.62.00-1.dsc
  to main/s/synfig/synfig_0.62.00-1.dsc
synfig_0.62.00-1_amd64.deb
  to main/s/synfig/synfig_0.62.00-1_amd64.deb
synfig_0.62.00.orig.tar.gz
  to main/s/synfig/synfig_0.62.00.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefano Zacchiroli <zack@debian.org> (supplier of updated synfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Jan 2010 00:01:27 +0100
Source: synfig
Binary: synfig libsynfig0 libsynfig-dev synfig-dbg synfig-examples
Architecture: source all amd64
Version: 0.62.00-1
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Stefano Zacchiroli <zack@debian.org>
Description: 
 libsynfig-dev - synfig library development files
 libsynfig0 - render library and plugins for synfig 2D animation
 synfig     - vector-based 2D animation renderer
 synfig-dbg - synfig debugging symbols
 synfig-examples - synfig animation examples
Closes: 559829
Changes: 
 synfig (0.62.00-1) unstable; urgency=low
 .
   * QA upload.
   * New upstream release.
   * Upgrade to a non-vulnerable version of ltdl and link against system
     library libltdl3; add build-dep on libltdl3-dev and force configure to
     use system library. Fix for CVE-2009-3736. (Closes: #559829)
   * Bump dep on etl-dev to >= 0.04.13 (needed since this version)
   * Bump standards-version to 3.8.3 (no changes needed)
   * Ship libsynfig.a, which was not installed before (not even by upstream)
   * Set section for package synfig-dbg to "debug" (thanks, lintian)
Checksums-Sha1: 
 e8320ca4b6c4d8bf494b930fec4f9a724a9eb464 1480 synfig_0.62.00-1.dsc
 10c5ffcffac0a3d2d2290a98fde2bc079aaaaca3 2916586 synfig_0.62.00.orig.tar.gz
 6be9909ee1663d37c4d410ed73159ddde36f67fa 368054 synfig_0.62.00-1.diff.gz
 7cca370e343c074a71136beaaafedb2df549c9d2 1380408 synfig-examples_0.62.00-1_all.deb
 42d5ed5dc4a5d7be63f01fd83a4c49c6dc7f5165 234562 synfig_0.62.00-1_amd64.deb
 c9ca752eb8de54a975678ccd6a461fa31b81c178 2784622 libsynfig0_0.62.00-1_amd64.deb
 eeaed37014aea2a5f023b1e736ce1ddac33e6903 1447070 libsynfig-dev_0.62.00-1_amd64.deb
 bdcc5e69a513a8ffa4ac792bbf73691744c05fd8 8688610 synfig-dbg_0.62.00-1_amd64.deb
Checksums-Sha256: 
 40742b4bd7b4098f97c35fa65211f432badc714f2560918d6b83652a561b90a9 1480 synfig_0.62.00-1.dsc
 982a2c86b4eaa807e4dfd410020771bd84f6f4ca4b3088c7f71bb19b649280a8 2916586 synfig_0.62.00.orig.tar.gz
 712c36573dfa105406f09a849fff235ecc3a480ae2ffc2d697a65bfbad8d75b0 368054 synfig_0.62.00-1.diff.gz
 a5e9fd856f6a93f35fbe8d0b9a6dbc6850d4c884639dd0426664d5ad773bd44f 1380408 synfig-examples_0.62.00-1_all.deb
 22ccd0fbb2ed77b5f65fa363bc564af16899a20c0fe2df7f25bcf4ff4c5ffd10 234562 synfig_0.62.00-1_amd64.deb
 b42d613a8accc4e95012238bb28e5f785ed289ecea107f4a59ba70669cf1aba6 2784622 libsynfig0_0.62.00-1_amd64.deb
 e188efed0bed0a0a27b91fc63624f32c6c212274d4c3f7a8ddfe9e66cb755930 1447070 libsynfig-dev_0.62.00-1_amd64.deb
 0606afb07064d5da24fe8e1caf896c797d960a5a48759a9c12fd61c8cfb25dda 8688610 synfig-dbg_0.62.00-1_amd64.deb
Files: 
 0e2664171f5397db0e8dd72cda0307dc 1480 graphics optional synfig_0.62.00-1.dsc
 773f3507c9fa5dfc084ad7e38a08a33f 2916586 graphics optional synfig_0.62.00.orig.tar.gz
 fc8abe0f841c7a4a4e640a6400800bb9 368054 graphics optional synfig_0.62.00-1.diff.gz
 ec00b1d6b08e67576c298ef0ea580c46 1380408 graphics optional synfig-examples_0.62.00-1_all.deb
 879bee6fa80e61eb957fbc3dbf13fe63 234562 graphics optional synfig_0.62.00-1_amd64.deb
 ba2a7cf4cada67b687f416b74be5964a 2784622 libs optional libsynfig0_0.62.00-1_amd64.deb
 898f2db439193e5ee9b6e2f67fc50794 1447070 libdevel optional libsynfig-dev_0.62.00-1_amd64.deb
 fdc91484db7bc2f43bb7d98417d9e8ca 8688610 debug extra synfig-dbg_0.62.00-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLW5Hs1cqbBPLEI7wRAnnEAJ9HAO9m8sRf6XxsfsJno5uYHA1IEQCgjA8z
aHPyQq7gn2UvEB+FHsEp1FM=
=72/5
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: