Bug#559814: marked as done (CVE-2009-3736 local privilege escalation)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 18 Feb 2010 10:47:24 +0000
with message-id <E1Ni3um-0005kH-1b@ries.debian.org>
and subject line Bug#559814: fixed in hamlib 1.2.10-1
has caused the Debian Bug report #559814,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
559814: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559814
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: CVE-2009-3736 local privilege escalation
• From: Michael Gilbert <michael.s.gilbert@gmail.com>
• Date: Sun, 6 Dec 2009 23:57:54 -0500
• Message-id: <20091206235754.78d6f9e2.michael.s.gilbert@gmail.com>

Package: hamlib
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

--- End Message ---

--- Begin Message ---

• To: 559814-close@bugs.debian.org
• Subject: Bug#559814: fixed in hamlib 1.2.10-1
• From: Kamal Mostafa <kamal@whence.com>
• Date: Thu, 18 Feb 2010 10:47:24 +0000
• Message-id: <E1Ni3um-0005kH-1b@ries.debian.org>

Source: hamlib
Source-Version: 1.2.10-1

We believe that the bug you reported is fixed in the latest version of
hamlib, which is due to be installed in the Debian FTP archive:

hamlib_1.2.10-1.diff.gz
  to main/h/hamlib/hamlib_1.2.10-1.diff.gz
hamlib_1.2.10-1.dsc
  to main/h/hamlib/hamlib_1.2.10-1.dsc
hamlib_1.2.10.orig.tar.gz
  to main/h/hamlib/hamlib_1.2.10.orig.tar.gz
libhamlib++-dev_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib++-dev_1.2.10-1_amd64.deb
libhamlib-dev_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib-dev_1.2.10-1_amd64.deb
libhamlib-doc_1.2.10-1_all.deb
  to main/h/hamlib/libhamlib-doc_1.2.10-1_all.deb
libhamlib-utils_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib-utils_1.2.10-1_amd64.deb
libhamlib2++c2_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib2++c2_1.2.10-1_amd64.deb
libhamlib2-perl_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib2-perl_1.2.10-1_amd64.deb
libhamlib2-tcl_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib2-tcl_1.2.10-1_amd64.deb
libhamlib2_1.2.10-1_amd64.deb
  to main/h/hamlib/libhamlib2_1.2.10-1_amd64.deb
python-libhamlib2_1.2.10-1_amd64.deb
  to main/h/hamlib/python-libhamlib2_1.2.10-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kamal Mostafa <kamal@whence.com> (supplier of updated hamlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 16 Feb 2010 18:56:10 -0800
Source: hamlib
Binary: libhamlib2 libhamlib2++c2 libhamlib-dev libhamlib++-dev libhamlib2-perl libhamlib2-tcl python-libhamlib2 libhamlib-utils libhamlib-doc
Architecture: source amd64 all
Version: 1.2.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Kamal Mostafa <kamal@whence.com>
Description: 
 libhamlib++-dev - Development library to control radio transceivers and receivers
 libhamlib-dev - Development library to control radio transceivers and receivers
 libhamlib-doc - Documentation for the hamlib radio control library
 libhamlib-utils - Utilities to support the hamlib radio control library
 libhamlib2 - Run-time library to control radio transceivers and receivers
 libhamlib2++c2 - Run-time library to control radio transceivers and receivers
 libhamlib2-perl - Run-time library to control radio transceivers and receivers
 libhamlib2-tcl - Run-time library to control radio transceivers and receivers
 python-libhamlib2 - Run-time library to control radio transceivers and receivers
Closes: 556098 559814
Changes: 
 hamlib (1.2.10-1) unstable; urgency=low
 .
   * New upstream release.
   * New maintainer: Kamal Mostafa <kamal@whence.com> (Closes: #556098).
   * Use system libltdl not old internal copy CVE-2009-3736 (Closes: #559814):
     - Build-depend on libltdl3-dev
     - configure, Makefile.am, Makefile.in: skip internal libltdl build
   * Enable hamlib USB support: configure with LIBUSB_LIBS predefined.
   * Enable hamlib Tcl bindings: configure with --enable-tcl-binding.
   * Debian Standards-Version bump to 3.8.4.
   * Python 2.6 transition [Michael Bienia <geser@ubuntu.com>].
Checksums-Sha1: 
 6289a72f2169c0a22bcd5a50779040286b2b01d7 1310 hamlib_1.2.10-1.dsc
 c8ea2cafc8286805aa815d37e72857286db93d88 1799309 hamlib_1.2.10.orig.tar.gz
 dfc709540e46febb2025a314d75d0524372e79be 8408 hamlib_1.2.10-1.diff.gz
 1d02b29b722452ac3335a0ccf633121c3505e485 425488 libhamlib2_1.2.10-1_amd64.deb
 e77595d8aeea75d721326e3bc38edde5d2211cdb 21386 libhamlib2++c2_1.2.10-1_amd64.deb
 acbc6e1dbefe6fbaa21185770efad45a951a520a 461994 libhamlib-dev_1.2.10-1_amd64.deb
 8e06697fb547f624874e49da9e4965922241fc64 23278 libhamlib++-dev_1.2.10-1_amd64.deb
 280027055b9221034bdaa31aaf334fcc33f532e1 307412 libhamlib2-perl_1.2.10-1_amd64.deb
 2ee4cf83a875d3a8b10cf555dea024780e2ff779 333364 libhamlib2-tcl_1.2.10-1_amd64.deb
 61e180e6f8f7ad26a2e11454ab63612f82da04e0 294960 python-libhamlib2_1.2.10-1_amd64.deb
 c9463a8b0a7cb0a5da2c515c1a44a5538f4d90bb 137696 libhamlib-utils_1.2.10-1_amd64.deb
 67acbc5d09b5cbeaafa3c4f6613dd43c12514514 565614 libhamlib-doc_1.2.10-1_all.deb
Checksums-Sha256: 
 6a50831304050da3f7d3335c2c149e040767ff3c24a25ccbccaddfe932bd680a 1310 hamlib_1.2.10-1.dsc
 9b50825666519b0b86469f1988a0de09ce2ffc08fa221f9aa40d18c7b7f6c651 1799309 hamlib_1.2.10.orig.tar.gz
 7aaa80c13d8d6c566a6e6eab4ae3df742864f50bd46ad3ab385c513f258521c7 8408 hamlib_1.2.10-1.diff.gz
 d2ae7bbd304fb72033f5cdd75b7c41d2962e47322dc76b0d1211d169ea31b7ab 425488 libhamlib2_1.2.10-1_amd64.deb
 4aea434311b06e173846d81676f02253810549313b6678dde137d40f62047ece 21386 libhamlib2++c2_1.2.10-1_amd64.deb
 15f34f2c7f95b967132f51c6acf8d115e4a5c1a1c85edcce189f137c7872c504 461994 libhamlib-dev_1.2.10-1_amd64.deb
 987f61a74e4ba3b5bc0b75b5d3734d0513be75fa0ef37ab2177ec46088c3dd32 23278 libhamlib++-dev_1.2.10-1_amd64.deb
 512f1aaee79f4ff61c8f884e80d462880d2e974f89582ccd2d3b534188a26410 307412 libhamlib2-perl_1.2.10-1_amd64.deb
 8b16d7f20adc336571733688dad8a062c59e63967aa3a7dd4fdd75258b4d38b9 333364 libhamlib2-tcl_1.2.10-1_amd64.deb
 d0865ecf3d7e0f960dc918e6421710785fbeeb4667b337b32ce8b6b121308297 294960 python-libhamlib2_1.2.10-1_amd64.deb
 c0ac077661630dfe3e2d90548cc82e175f10c973ac5151a6ead661f75c8458f1 137696 libhamlib-utils_1.2.10-1_amd64.deb
 b0863f8c0557d2c6b4e5a333703683c4ad0db7d1b86a1569324d6e431cedc5a1 565614 libhamlib-doc_1.2.10-1_all.deb
Files: 
 aec8932c10c1dd9638a9db737005882e 1310 hamradio optional hamlib_1.2.10-1.dsc
 29f0d30779a8ffe0444eb523a6ad8344 1799309 hamradio optional hamlib_1.2.10.orig.tar.gz
 b83c46b72fad3ff9ce97977b407df85c 8408 hamradio optional hamlib_1.2.10-1.diff.gz
 1644484ada430798122723ec674eb27a 425488 libs optional libhamlib2_1.2.10-1_amd64.deb
 f2a595a6f93c444763fc0b7bc63d18d9 21386 libs optional libhamlib2++c2_1.2.10-1_amd64.deb
 1b96c7177149c4a83c1524292a236d08 461994 libdevel optional libhamlib-dev_1.2.10-1_amd64.deb
 d35a06c04645f67164d71f651f5263df 23278 libdevel optional libhamlib++-dev_1.2.10-1_amd64.deb
 42ab2de99b1ce504795c122ca00bb9cc 307412 perl optional libhamlib2-perl_1.2.10-1_amd64.deb
 854023b7f6a6966b67d0091e2f054c8f 333364 interpreters optional libhamlib2-tcl_1.2.10-1_amd64.deb
 522151484c8a9d4a17d0ebfd61881930 294960 python optional python-libhamlib2_1.2.10-1_amd64.deb
 348f0c5ef64462814a55573d9e056bf8 137696 hamradio optional libhamlib-utils_1.2.10-1_amd64.deb
 a80da727373e85d1aeeecdfa3e9085e1 565614 doc optional libhamlib-doc_1.2.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLe8Zm1cqbBPLEI7wRAol0AJ9agnEwDsZ+G9hnAyBaAv3n1kipJACfX9I0
p8K3RMc7W6tUkf4EsUBrPDU=
=G4RU
-----END PGP SIGNATURE-----

--- End Message ---