Debian Bug report logs - #559822
CVE-2009-3736 local privilege escalation

version graph

Package: mp4h; Maintainer for mp4h is Debian WML Packaging Team <pkg-wml-maintainers@lists.alioth.debian.org>; Source for mp4h is src:mp4h.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 05:06:01 UTC

Owned by: pkg-wml-maintainers@lists.alioth.debian.org

Severity: grave

Tags: patch, security

Fixed in version mp4h/1.3.1-4.1

Done: Thorsten Glaser <tg@mirbsd.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#559822; Package mp4h. (Mon, 07 Dec 2009 05:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. (Mon, 07 Dec 2009 05:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Mon, 7 Dec 2009 00:01:24 -0500
Package: mp4h
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736




Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#559822; Package mp4h. (Sun, 13 Dec 2009 06:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. (Sun, 13 Dec 2009 06:06:03 GMT) Full text and rfc822 format available.

Message #10 received at 559822@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#559822; Package mp4h. (Thu, 04 Mar 2010 19:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. (Thu, 04 Mar 2010 19:57:05 GMT) Full text and rfc822 format available.

Message #15 received at 559822@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559822@bugs.debian.org
Cc: control@bugs.debian.org
Subject: mp4h: diff for NMU version 1.3.1-4.1
Date: Thu, 4 Mar 2010 19:50:50 +0000 (UTC)
[Message part 1 (text/plain, inline)]
tags 559822 + patch
thanks

Dear Felipe,

I've prepared an NMU for mp4h (versioned as 1.3.1-4.1) and will
upload it to DELAYED/2, according to devref ยง5.11.1, now.

This one's similar to my hercules fix, using autoreconf to tear
out the old GNU autotools/libtool infrastructure and replace it
with a new one (for that, relatively simple though).

bye,
//mirabilos
-- 
FWIW, I'm quite impressed with mksh interactively. I thought it was much
*much* more bare bones. But it turns out it beats the living hell out of
ksh93 in that respect. I'd even consider it for my daily use if I hadn't
wasted half my life on my zsh setup. :-) -- Frank Terbeck in #!/bin/mksh
[mp4h_1.3.1-4.1.debdiff (text/plain, attachment)]

Added tag(s) patch. Request was from Thorsten Glaser <tg@mirbsd.de> to control@bugs.debian.org. (Thu, 04 Mar 2010 19:57:08 GMT) Full text and rfc822 format available.

Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Sat, 06 Mar 2010 21:42:11 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 06 Mar 2010 21:42:11 GMT) Full text and rfc822 format available.

Message #22 received at 559822-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559822-close@bugs.debian.org
Subject: Bug#559822: fixed in mp4h 1.3.1-4.1
Date: Sat, 06 Mar 2010 21:40:22 +0000
Source: mp4h
Source-Version: 1.3.1-4.1

We believe that the bug you reported is fixed in the latest version of
mp4h, which is due to be installed in the Debian FTP archive:

mp4h_1.3.1-4.1.diff.gz
  to main/m/mp4h/mp4h_1.3.1-4.1.diff.gz
mp4h_1.3.1-4.1.dsc
  to main/m/mp4h/mp4h_1.3.1-4.1.dsc
mp4h_1.3.1-4.1_i386.deb
  to main/m/mp4h/mp4h_1.3.1-4.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated mp4h package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Thu, 04 Mar 2010 19:30:06 +0000
Source: mp4h
Binary: mp4h
Architecture: source i386
Version: 1.3.1-4.1
Distribution: unstable
Urgency: high
Maintainer: Felipe Augusto van de Wiel (faw) <faw@debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 mp4h       - Macro processor for HTML documents
Closes: 559822
Changes: 
 mp4h (1.3.1-4.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Update the autotools/libtool subsystem, use libltdl from
     the system instead of our own. (CVE-2009-3736) (Closes: #559822)
   * Fix lintian copyright-without-copyright-notice (possible REJECT cause)
   * Add missing ${misc:Depends} for debhelper to get them right
Checksums-Sha1: 
 687ae666b726b6479ef3f05b07af361ee0607446 1699 mp4h_1.3.1-4.1.dsc
 2684832bf6aa5ce3febe36ce89252140ebd1c9f0 6167 mp4h_1.3.1-4.1.diff.gz
 34800394c7d19ab23d3dcc6df51ef3bbe98a28ab 147118 mp4h_1.3.1-4.1_i386.deb
Checksums-Sha256: 
 066d702af8c2fb198a337f0fa6f6c0b045238ea0cfbc9d7307b12168c56bea3b 1699 mp4h_1.3.1-4.1.dsc
 bdf386812f1e7218d5d17e6dab186aad600c8e9b170400a852352bb6d1fb06a9 6167 mp4h_1.3.1-4.1.diff.gz
 8bd67962ab5825942ca8daeacaaf1a758bb1d8809d961a40be43dc64dc17f0fc 147118 mp4h_1.3.1-4.1_i386.deb
Files: 
 33b17a54875628fa6cceaa554dba93bb 1699 web optional mp4h_1.3.1-4.1.dsc
 b7689650170fb3ed2e492a0b5ca6141d 6167 web optional mp4h_1.3.1-4.1.diff.gz
 5e663343b24434cdccd3d14b2e0fed6f 147118 web optional mp4h_1.3.1-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)

iQIVAwUBS5APgXa1NLLpkAfgAQmX9xAAp5zBscPBQSXoVKAt7YtGlb5Hs2aPawo0
ttpvod/fh+jsa/XQMiLIGhUlP8u+R8BDino1iQkff0NSuxT4vb7X9ExXFT0epEC+
VV7UmT1mNmH3+RumdZj115tecPzTEj1VyS34cg/blJslWM1lTZPCEAA/gqVkSVUU
1+eYIjMSDsxWKmAjfzPc2cO2yzcVm27x0GJgN6XikhBQ9iPndpjdEJpop67h2lY4
CcadPOnS/G2n5hS6vLn0wmq6+QBAyIolruYC2NEkF7Z0GI0fNxuS4eUUNcDABLRA
F6iZgAZ3XpuiA7i6n5Yo31MbEn4DDzuXTfe450vsRo3qs0s3Iwhxz2U/XomihxEX
dkzojY6PQCxeRMVXShkrB9NcqOpjdOCCoR+MGc7ANEELCOXY9fhWWeLG14AYzUki
3Rx31fcVNlyNRlT4ORRECAaSBUa5Gqhr+qm/NGqqqSkkdqVPqs1oANlLCJ7OlP4X
YPzrhkX7nyflkxzH8zpBY4tssTRu/fQy963PZdlnvXAIh+OgVq2ctoHOkTrRsCmA
9DomRxekVvTzaEwmOTakVlgLV6OXW9jLhGJ51Chxh+UgmpaB5WEkcK/Q4gowt6MF
chM8yyyUGbxxqfOKAyiWReuBLMVaQNYkr32Nr01lLn+ReBPUxn9eKHiWZw333SAd
r+W2k3A1IFU=
=Symq
-----END PGP SIGNATURE-----





Owner recorded as pkg-wml-maintainers@lists.alioth.debian.org. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Sun, 07 Mar 2010 13:36:12 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jul 2011 07:34:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:19:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.