Debian Bug report logs - #559840
CVE-2009-3736 local privilege escalation

version graph

Package: sdcc; Maintainer for sdcc is Gudjon I. Gudjonsson <gudjon@gudjon.org>; Source for sdcc is src:sdcc.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 05:09:22 UTC

Severity: grave

Tags: security

Fixed in version sdcc/2.9.0-5

Done: gudjon@gudjon.org (Gudjon I. Gudjonsson)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, gudjon@gudjon.org (Gudjon I. Gudjonsson):
Bug#559840; Package sdcc. (Mon, 07 Dec 2009 05:09:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to gudjon@gudjon.org (Gudjon I. Gudjonsson). (Mon, 07 Dec 2009 05:09:25 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Mon, 7 Dec 2009 00:08:03 -0500
Package: sdcc
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736




Information forwarded to debian-bugs-dist@lists.debian.org, gudjon@gudjon.org (Gudjon I. Gudjonsson):
Bug#559840; Package sdcc. (Sat, 12 Dec 2009 23:10:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to gudjon@gudjon.org (Gudjon I. Gudjonsson). (Sat, 12 Dec 2009 23:10:06 GMT) Full text and rfc822 format available.

Message #10 received at 559840@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike




Reply sent to gudjon@gudjon.org (Gudjon I. Gudjonsson):
You have taken responsibility. (Sun, 10 Jan 2010 21:39:12 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 10 Jan 2010 21:39:12 GMT) Full text and rfc822 format available.

Message #15 received at 559840-close@bugs.debian.org (full text, mbox):

From: gudjon@gudjon.org (Gudjon I. Gudjonsson)
To: 559840-close@bugs.debian.org
Subject: Bug#559840: fixed in sdcc 2.9.0-5
Date: Sun, 10 Jan 2010 21:33:21 +0000
Source: sdcc
Source-Version: 2.9.0-5

We believe that the bug you reported is fixed in the latest version of
sdcc, which is due to be installed in the Debian FTP archive:

sdcc-doc_2.9.0-5_all.deb
  to main/s/sdcc/sdcc-doc_2.9.0-5_all.deb
sdcc-libraries_2.9.0-5_all.deb
  to main/s/sdcc/sdcc-libraries_2.9.0-5_all.deb
sdcc-ucsim_2.9.0-5_i386.deb
  to main/s/sdcc/sdcc-ucsim_2.9.0-5_i386.deb
sdcc_2.9.0-5.diff.gz
  to main/s/sdcc/sdcc_2.9.0-5.diff.gz
sdcc_2.9.0-5.dsc
  to main/s/sdcc/sdcc_2.9.0-5.dsc
sdcc_2.9.0-5_i386.deb
  to main/s/sdcc/sdcc_2.9.0-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gudjon I. Gudjonsson <gudjon@gudjon.org> (supplier of updated sdcc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Jan 2010 05:47:41 +0100
Source: sdcc
Binary: sdcc sdcc-libraries sdcc-ucsim sdcc-doc
Architecture: source i386 all
Version: 2.9.0-5
Distribution: unstable
Urgency: low
Maintainer: Gudjon I. Gudjonsson <gudjon@gudjon.org>
Changed-By: Gudjon I. Gudjonsson <gudjon@gudjon.org>
Description: 
 sdcc       - Small Device C Compiler
 sdcc-doc   - Small Device C Compiler (documentation)
 sdcc-libraries - Small Device C Compiler (libraries)
 sdcc-ucsim - Micro-controller simulator for SDCC
Closes: 559840 560520
Changes: 
 sdcc (2.9.0-5) unstable; urgency=low
 .
   * Add patch 03_fix_cmdlex to fix compilation (Closes: #560520)
   * Add patch 04_libtool_fix to fix CVE-2009-3736 local privilege escalation
     After patching, ltld.c is equal to the ltld.c file in libtool 2.2.6B
     (Closes: #559840)
   * Add README.source file
Checksums-Sha1: 
 d8142d32ae55f649fa6734ca81613beae871e50d 1154 sdcc_2.9.0-5.dsc
 ec17ba4ca1774eb27a0186e346d51341168113d2 54309 sdcc_2.9.0-5.diff.gz
 f40cf8bf21721615b21ab6e93f49ecd277591929 1312186 sdcc_2.9.0-5_i386.deb
 0dbf5dc5021f3969f4e9ac5876cb386cf0cab110 893474 sdcc-ucsim_2.9.0-5_i386.deb
 24bdf4d4e7af63ba187db135858e8e9bf7496f5c 5814102 sdcc-libraries_2.9.0-5_all.deb
 033c04b223e48907f218bfd69a82eb6ccfacb5d5 589540 sdcc-doc_2.9.0-5_all.deb
Checksums-Sha256: 
 3369703b0376bfd50a66838e814a4d1ad6a169135129cd88777bfa6865220ad4 1154 sdcc_2.9.0-5.dsc
 5623d391bf9a73d5e602e4ca0512812d8aa51f3dd4d931e9e5c7991edb7edb43 54309 sdcc_2.9.0-5.diff.gz
 4f4270c3ee401180e533317361fb81396d6486cc6458b04e0c9b0289cfd7fbc9 1312186 sdcc_2.9.0-5_i386.deb
 12016a3b8dc379ea32a3d1a4e110467f1ce3a7c2f8209db0c6a5f805ae4f47fb 893474 sdcc-ucsim_2.9.0-5_i386.deb
 ee3312b0b323c71240218786e7fd5cfc0aebf5c9c531c6ce094873b21ba6fc7e 5814102 sdcc-libraries_2.9.0-5_all.deb
 e7b337c35c3a759e8a0942001f2e519fb7668a6fe6e826c598a6b04036c609f7 589540 sdcc-doc_2.9.0-5_all.deb
Files: 
 d5f3afceba1d5eb9e1bfa1f784082cdb 1154 electronics optional sdcc_2.9.0-5.dsc
 fc65c5b5c28033b71c4b8d0ed47f7df1 54309 electronics optional sdcc_2.9.0-5.diff.gz
 479192141a7d8be034c99fe627aac6a0 1312186 electronics optional sdcc_2.9.0-5_i386.deb
 b5133e015f8bea8415cca7d877ab3b46 893474 electronics optional sdcc-ucsim_2.9.0-5_i386.deb
 b67b43e5a16c90c794ea3465729c3617 5814102 electronics optional sdcc-libraries_2.9.0-5_all.deb
 5ff1fdc6c7d183df59794c08acb8e72d 589540 doc optional sdcc-doc_2.9.0-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktKNQwACgkQXm3vHE4uylrRbACfTu9RJTApafxeGuZuPdm3/uHq
2UQAnAwMedtBJIBTvHJ23dmWg32GGRdO
=7enT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 13 Feb 2010 07:30:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 01:44:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.