[email protected]
[Top] [All Lists]

Bug#559827: marked as forwarded (CVE-2009-3736 local privilege escalati

Subject: Bug#559827: marked as forwarded CVE-2009-3736 local privilege escalation
From: Debian Bug Tracking System
Date: Fri, 19 Feb 2010 21:06:07 +0000
Your message dated Fri, 19 Feb 2010 22:02:24 +0100
with message-id <[email protected]>
has caused the   report #559827,
regarding CVE-2009-3736 local privilege escalation
to be marked as having been forwarded to the upstream software
author(s) Thomas Ries <[email protected]>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]

559827: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559827
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Fwd: siproxd Bug#559827: CVE-2009-3736 local privilege escalation
From: Mark Purcell
Date: Fri, 19 Feb 2010 22:02:24 +0100

As you are aware siproxd contains an convenience copy of libltdl and there is 
no method in the configure script to use a system provided libltdl.

While I can understand that providing this library directly with your code 
helps your users build the package, this does also introduce a security 
vulnerability as a bug in the library then needs to be fixed in each and every 
application which includes a convenience copy. 

This has indeed occurred (see attached) with a local privilege escalation issue 
(CVE) being identified in the convenience copy of libltdl you ship with siproxd.

Whilst Debian has already fixed this CVE for the system provided libltdl, we 
now need to go through every single application that provides a convenience 

So you should be aware that siproxd as shipped in your upstream distribution is 
vunerable to CVE-2009-3736.

Could I ask you to modify your configure script to check first for a system 
provided libltdl and use that in preference to any convenience copy.

I would recommend that you don't ship a convenience copy, for these reasons 
and, make libltdl a build time system dependency, as you have done with 

If you do wish to continue to ship libltdl, then you should ensure it is 
uptodate and at least fixes the CVE identified in this report.

Could I ask you to maintain the (Cc:) in any replies so we can track this issue 
correctly in our Bug Tracking System (BTS).  You may also wish to subscribe to 
our email based Package Tracking System (PTS) for siproxd, had you been 
subscribed you would of received the attached email directly rather than second 
hand through me: http://packages.qa.debian.org/s/siproxd.html

I will attempt to modify your configure script to address this issue in Debian, 
however this bug report effects all your distributed source packages.


----------  Forwarded Message  ----------

Subject: Bug#559827: CVE-2009-3736 local privilege escalation
Date: Monday 07 December 2009
From: Michael Gilbert <[email protected]>
To: [email protected]

Package: siproxd
Severity: grave
Tags: security


The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736


--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#559827: marked as forwarded (CVE-2009-3736 local privilege escalation), Debian Bug Tracking System <=