Debian Bug report logs - #559815
CVE-2009-3736 local privilege escalation

version graph

Package: hercules; Maintainer for hercules is Peter De Schrijver (p2) <p2@debian.org>; Source for hercules is src:hercules.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 05:00:15 UTC

Severity: grave

Tags: patch, security

Fixed in versions hercules/3.06-1.2, hercules/3.07-1

Done: Peter 'p2' De Schrijver <p2@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Mon, 07 Dec 2009 05:00:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Peter De Schrijver (p2) <p2@debian.org>. (Mon, 07 Dec 2009 05:00:18 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Sun, 6 Dec 2009 23:58:14 -0500
Package: hercules
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736




Information forwarded to debian-bugs-dist@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Sat, 12 Dec 2009 23:10:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Peter De Schrijver (p2) <p2@debian.org>. (Sat, 12 Dec 2009 23:10:02 GMT) Full text and rfc822 format available.

Message #10 received at 559815@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Sun, 24 Jan 2010 13:57:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Peter De Schrijver (p2) <p2@debian.org>. (Sun, 24 Jan 2010 13:57:22 GMT) Full text and rfc822 format available.

Message #15 received at 559815@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559815@bugs.debian.org
Cc: control@bugs.debian.org
Subject: hercules: diff for NMU version 3.06-1.2
Date: Sun, 24 Jan 2010 13:46:20 +0000 (UTC)
[Message part 1 (text/plain, inline)]
tags 559815 + patch
thanks

Hoi p2,

I have prepared an NMU for hercules (version 3.06-1.2) to use
the system libtool/libltdl instead of its own bundled version,
according to Policy §4.13, thus fixing CVE-2009-3736.

I’ll have it uploaded to DELAYED/2 according to devref §5.11,
patch is attached.

You might want to have a look at all these gcc warnings about
array accesses being below/above array bounds, though. There
may be more security issues hiding.

Groeten,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"
[hercules_3.06-1.2.debdiff (text/plain, attachment)]

Added tag(s) patch. Request was from Thorsten Glaser <tg@mirbsd.de> to control@bugs.debian.org. (Sun, 24 Jan 2010 13:57:29 GMT) Full text and rfc822 format available.

Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Sun, 24 Jan 2010 15:39:44 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 24 Jan 2010 15:39:44 GMT) Full text and rfc822 format available.

Message #22 received at 559815-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559815-close@bugs.debian.org
Subject: Bug#559815: fixed in hercules 3.06-1.2
Date: Sun, 24 Jan 2010 15:35:31 +0000
Source: hercules
Source-Version: 3.06-1.2

We believe that the bug you reported is fixed in the latest version of
hercules, which is due to be installed in the Debian FTP archive:

hercules_3.06-1.2.diff.gz
  to main/h/hercules/hercules_3.06-1.2.diff.gz
hercules_3.06-1.2.dsc
  to main/h/hercules/hercules_3.06-1.2.dsc
hercules_3.06-1.2_amd64.deb
  to main/h/hercules/hercules_3.06-1.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559815@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated hercules package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 24 Jan 2010 00:44:52 +0000
Source: hercules
Binary: hercules
Architecture: source amd64
Version: 3.06-1.2
Distribution: unstable
Urgency: low
Maintainer: Peter De Schrijver (p2) <p2@debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 hercules   - System/370, ESA/390 and z/Architecture Emulator
Closes: 559815
Changes: 
 hercules (3.06-1.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Use autoreconf in order to use system libltdl instead of the bundled
     one (upgrading from 1.x to 2.2). (Closes: #559815) (CVE-2009-3736)
Checksums-Sha1: 
 0303ff24fb9029a2ef417c49268ea5347e4cafa6 1170 hercules_3.06-1.2.dsc
 67a19368b90d460bfa0596e74ca8e40e6deb7d27 18658 hercules_3.06-1.2.diff.gz
 d94c428e6cc3b22b00427e249d866233d9533041 2077576 hercules_3.06-1.2_amd64.deb
Checksums-Sha256: 
 e4765e6c6a7cfad3fb94c54645681a2bd604f428e259adb5191fb08c5bf732f6 1170 hercules_3.06-1.2.dsc
 d2c0580195d370aee1c32c2db25a2d43b0d2ee15c66c03a275ebc93d9928e1e0 18658 hercules_3.06-1.2.diff.gz
 1376f912ae34ff10f966f00f327a60f86a8fa16cb504e614529220af7f4819ab 2077576 hercules_3.06-1.2_amd64.deb
Files: 
 19565cbae260a173c6e0c538ff48a2c2 1170 otherosfs extra hercules_3.06-1.2.dsc
 82c5772dd012ca5382da5f9f69dea32c 18658 otherosfs extra hercules_3.06-1.2.diff.gz
 ff0d44d274651489a246e7e26ccf1fdc 2077576 otherosfs extra hercules_3.06-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLXFgwVkEm8inxm9ERAlj3AJ400otJBQWb993MAeelVd8eyejDSwCfTMBf
SW5akfqRPFE+EBUtD7jCHkg=
=jg3o
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Mon, 25 Jan 2010 14:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Peter De Schrijver (p2) <p2@debian.org>. (Mon, 25 Jan 2010 14:54:03 GMT) Full text and rfc822 format available.

Message #27 received at 559815@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 566765@bugs.debian.org
Cc: control@bugs.debian.org, 559815@bugs.debian.org
Subject: hercules: diff for NMU version 3.06-1.3
Date: Mon, 25 Jan 2010 14:50:55 +0000 (UTC)
[Message part 1 (text/plain, inline)]
tags 566765 + patch
thanks

Hoi p2,

I have prepared an NMU for hercules (version 3.06-1.3) which
fixes the FTBFS I seem to have accidentally introduced with
the 3.06-1.2 NMU (GNU autohell, you see).

As discussed at the BSP, this will be uploaded with urgency=high
and not to DELAYED/* since it fixes a security issue.

Groeten,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"
[hercules_3.06-1.3.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Thu, 28 Jan 2010 09:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frans Pop <elendil@planet.nl>:
Extra info received and forwarded to list. Copy sent to Peter De Schrijver (p2) <p2@debian.org>. (Thu, 28 Jan 2010 09:18:02 GMT) Full text and rfc822 format available.

Message #32 received at 559815@bugs.debian.org (full text, mbox):

From: Frans Pop <elendil@planet.nl>
To: 559815@bugs.debian.org
Cc: Thorsten Glaser <tg@mirbsd.de>
Subject: Bug#559815: gcc warnings about array bounds in Hercules
Date: Thu, 28 Jan 2010 10:14:44 +0100
Just happened to be looking at the BTS...

Thorsten Glaser wrote:
> You might want to have a look at all these gcc warnings about
> array accesses being below/above array bounds, though. There
> may be more security issues hiding.

These warnings have been fixed in the upcoming upstream release.

Cheers,
FJP




Information forwarded to debian-bugs-dist@lists.debian.org, debian-release@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>:
Bug#559815; Package hercules. (Sat, 30 Jan 2010 23:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org, Peter De Schrijver (p2) <p2@debian.org>. (Sat, 30 Jan 2010 23:15:02 GMT) Full text and rfc822 format available.

Message #37 received at 559815@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: 559815@bugs.debian.org
Subject: CVE-2009-3736: please fix this bug via p-u in stable
Date: Sat, 30 Jan 2010 23:54:15 +0100
Hi Peter,

according to http://security-tracker.debian.org/tracker/CVE-2009-3736
this issue will not be fixed via DSA, so please prepare an upload to
proposed-updates.

Thanks
Martin

-- 
 Martin Zobel-Helas <zobel@debian.org>  | Debian System Administrator
 Debian & GNU/Linux Developer           |           Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870





Reply sent to Peter 'p2' De Schrijver <p2@debian.org>:
You have taken responsibility. (Wed, 24 Mar 2010 19:51:13 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Wed, 24 Mar 2010 19:51:13 GMT) Full text and rfc822 format available.

Message #42 received at 559815-close@bugs.debian.org (full text, mbox):

From: Peter 'p2' De Schrijver <p2@debian.org>
To: 559815-close@bugs.debian.org
Subject: Bug#559815: fixed in hercules 3.07-1
Date: Wed, 24 Mar 2010 19:48:31 +0000
Source: hercules
Source-Version: 3.07-1

We believe that the bug you reported is fixed in the latest version of
hercules, which is due to be installed in the Debian FTP archive:

hercules_3.07-1.diff.gz
  to main/h/hercules/hercules_3.07-1.diff.gz
hercules_3.07-1.dsc
  to main/h/hercules/hercules_3.07-1.dsc
hercules_3.07-1_i386.deb
  to main/h/hercules/hercules_3.07-1_i386.deb
hercules_3.07.orig.tar.gz
  to main/h/hercules/hercules_3.07.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559815@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter 'p2' De Schrijver <p2@debian.org> (supplier of updated hercules package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Mar 2010 20:24:26 +0200
Source: hercules
Binary: hercules
Architecture: source i386
Version: 3.07-1
Distribution: unstable
Urgency: low
Maintainer: Peter De Schrijver (p2) <p2@debian.org>
Changed-By: Peter 'p2' De Schrijver <p2@debian.org>
Description: 
 hercules   - System/370, ESA/390 and z/Architecture Emulator
Closes: 542143 557162 559815 569913 573355 573355
Changes: 
 hercules (3.07-1) unstable; urgency=low
 .
   * New upstream release (Closes: #573355)
   * Integrated multiple fixes from Simon McVittie (Closes: #557162)
   * Added dasdinit manpage (Closes: #542143)
   * Updated package description (Closes: #569913)
   * Updated README.Debian. Thanks to Frans Pop. (Closes: #573355)
   * Integrated fix for CVE-2009-3736. Thanks to Thorsten Glaser. (Closes: #559815)
Checksums-Sha1: 
 83274ec803abcc256dbf2f5fff892e84948345e1 1161 hercules_3.07-1.dsc
 d0b2e543dd66ee43576e5a5faff8f4cc061cffb4 2701835 hercules_3.07.orig.tar.gz
 07779ef5efa9cc52a0d7e87efa29cb4568efc951 29764 hercules_3.07-1.diff.gz
 ab6a8ff028d10ce0551e27033cc866fe1a97d8b9 2364100 hercules_3.07-1_i386.deb
Checksums-Sha256: 
 bbb073800140cd9270c9dc7d3bf674a57b4e454166abf801631a9cf870fcb9ea 1161 hercules_3.07-1.dsc
 02d5f6c66d699d413a4db9ef5a799249a6645ac10f2af1edb37992e7fa1f7724 2701835 hercules_3.07.orig.tar.gz
 1cfe5c5cfe2ac839f3b145a721d16166cc2cf7594e7f503b6a0005159030898c 29764 hercules_3.07-1.diff.gz
 78b8b96315850205271f3da74553f0b8a7ba97d68488a2d6c6b6aa00cd56425d 2364100 hercules_3.07-1_i386.deb
Files: 
 cfb110ede92120678ae0e7f8dab15db8 1161 otherosfs extra hercules_3.07-1.dsc
 a12aa1645b0695b25b7fc0c9a3ccab3a 2701835 otherosfs extra hercules_3.07.orig.tar.gz
 c7dca14f38aa4e871f9991eb9a23243c 29764 otherosfs extra hercules_3.07-1.diff.gz
 790b540bd99f982eb5fd1ee4aed8f4aa 2364100 otherosfs extra hercules_3.07-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLqmlLKLKVw/RurbsRAqdJAJwNrvfvqESagpii1q1HfDuRSpx6QACcCanz
0V5Q4jEja31B7Gh248Jy52U=
=oVyB
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 08:03:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:40:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.