Debian Bug report logs - #559843
CVE-2009-3736 local privilege escalation

version graph

Package: babel; Maintainer for babel is "Adam C. Powell, IV" <hazelsct@debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 05:12:05 UTC

Severity: grave

Tags: lenny, security

Fixed in version babel/1.4.0.dfsg-5

Done: hazelsct@debian.org (Adam C. Powell, IV)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, hazelsct@debian.org (Adam C. Powell, IV):
Bug#559843; Package babel. (Mon, 07 Dec 2009 05:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to hazelsct@debian.org (Adam C. Powell, IV). (Mon, 07 Dec 2009 05:12:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Mon, 7 Dec 2009 00:09:08 -0500
Package: babel
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736




Reply sent to hazelsct@debian.org (Adam C. Powell, IV):
You have taken responsibility. (Tue, 08 Dec 2009 04:51:04 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 08 Dec 2009 04:51:04 GMT) Full text and rfc822 format available.

Message #10 received at 559843-close@bugs.debian.org (full text, mbox):

From: hazelsct@debian.org (Adam C. Powell, IV)
To: 559843-close@bugs.debian.org
Subject: Bug#559843: fixed in babel 1.4.0.dfsg-5
Date: Tue, 08 Dec 2009 04:47:45 +0000
Source: babel
Source-Version: 1.4.0.dfsg-5

We believe that the bug you reported is fixed in the latest version of
babel, which is due to be installed in the Debian FTP archive:

babel-1.4.0_1.4.0.dfsg-5_all.deb
  to main/b/babel/babel-1.4.0_1.4.0.dfsg-5_all.deb
babel-doc_1.4.0.dfsg-5_all.deb
  to main/b/babel/babel-doc_1.4.0.dfsg-5_all.deb
babel_1.4.0.dfsg-5.diff.gz
  to main/b/babel/babel_1.4.0.dfsg-5.diff.gz
babel_1.4.0.dfsg-5.dsc
  to main/b/babel/babel_1.4.0.dfsg-5.dsc
libsidl-1.4.0_1.4.0.dfsg-5_amd64.deb
  to main/b/babel/libsidl-1.4.0_1.4.0.dfsg-5_amd64.deb
libsidl-dev_1.4.0.dfsg-5_amd64.deb
  to main/b/babel/libsidl-dev_1.4.0.dfsg-5_amd64.deb
libsidl1.4.0-java_1.4.0.dfsg-5_all.deb
  to main/b/babel/libsidl1.4.0-java_1.4.0.dfsg-5_all.deb
python-sidl_1.4.0.dfsg-5_amd64.deb
  to main/b/babel/python-sidl_1.4.0.dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam C. Powell, IV <hazelsct@debian.org> (supplier of updated babel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Dec 2009 18:29:06 -0500
Source: babel
Binary: babel-1.4.0 libsidl1.4.0-java python-sidl libsidl-dev libsidl-1.4.0 babel-doc
Architecture: source all amd64
Version: 1.4.0.dfsg-5
Distribution: unstable
Urgency: low
Maintainer: Adam C. Powell, IV <hazelsct@debian.org>
Changed-By: Adam C. Powell, IV <hazelsct@debian.org>
Description: 
 babel-1.4.0 - Scientific Interface Definition Language (SIDL) compiler
 babel-doc  - Scientific Interface Definition Language (SIDL) suite documentati
 libsidl-1.4.0 - Scientific Interface Definition Language (SIDL) C(++)/FORTRAN run
 libsidl-dev - Scientific Interface Definition Language (SIDL) C(++)/FORTRAN run
 libsidl1.4.0-java - Scientific Interface Definition Language (SIDL) Java runtime
 python-sidl - Scientific Interface Definition Language (SIDL) Python runtime
Closes: 559843
Changes: 
 babel (1.4.0.dfsg-5) unstable; urgency=low
 .
   * Include libtool in Build-Depends and libtoolize (closes: #559843).
   * Added README.source file.
   * Bumped Standards-Version.
Checksums-Sha1: 
 d23e5d955534ceaa22dc12c0a8c4da2a64940aa9 1436 babel_1.4.0.dfsg-5.dsc
 0c5383014f2588cf0e726052378ccb57234f249d 17564 babel_1.4.0.dfsg-5.diff.gz
 7401bf3dbbbf29eee894fef4fa8def895cf9b48e 1239852 babel-1.4.0_1.4.0.dfsg-5_all.deb
 98889014271b20f6404baccfa0d34fea60144bae 2006588 libsidl1.4.0-java_1.4.0.dfsg-5_all.deb
 d1ed84c091df5e69047c116e721bd35025fa6302 1021906 babel-doc_1.4.0.dfsg-5_all.deb
 c4a173d2b866ed78a8ef7bf3cf6bf99a18e92607 3141888 python-sidl_1.4.0.dfsg-5_amd64.deb
 6dec21da632a7681e2766ee4b9a5b0e6b268eddb 6888124 libsidl-dev_1.4.0.dfsg-5_amd64.deb
 071c0b93e009c1e81e9cd470d8c3bc08887930c2 3853476 libsidl-1.4.0_1.4.0.dfsg-5_amd64.deb
Checksums-Sha256: 
 103a1cfe2ace4d34f11dc111901faca7790bac0c21ccd3017576ca4677a22a8b 1436 babel_1.4.0.dfsg-5.dsc
 7be2ed8ad9d820a3279ffd685f8b1b57398872ec027768790657520575d1fe72 17564 babel_1.4.0.dfsg-5.diff.gz
 bb187993193f842d40f8c49d5eff221ece06074c555c993bf977ac76f4090281 1239852 babel-1.4.0_1.4.0.dfsg-5_all.deb
 16a7bbb7040dedae20209a302a57da054b353a5749a482e20a4371875cca3bed 2006588 libsidl1.4.0-java_1.4.0.dfsg-5_all.deb
 c6ba589148950aed7dfb3ca98967782b44ff20549de71563b469de3340047e1f 1021906 babel-doc_1.4.0.dfsg-5_all.deb
 65bf7da15dc999795c949a77272bad539a17699d2bd0c7c410d80ded2ded3487 3141888 python-sidl_1.4.0.dfsg-5_amd64.deb
 26e5d86fb277b864de9aa5c49e33b4ed64c35ee108486ac4d154845be5d02838 6888124 libsidl-dev_1.4.0.dfsg-5_amd64.deb
 039f145aa0c18423f652cebe4403f6cdda2cb5eb904607afb8dfb967c321a5b5 3853476 libsidl-1.4.0_1.4.0.dfsg-5_amd64.deb
Files: 
 2dbbbd19608ca46bc0b90499c9bcea43 1436 devel extra babel_1.4.0.dfsg-5.dsc
 9ecc3f8dbc6f0d30353b67cf2ef47ada 17564 devel extra babel_1.4.0.dfsg-5.diff.gz
 efb68f8056e9ddf85eb7ca4c7152abc6 1239852 devel extra babel-1.4.0_1.4.0.dfsg-5_all.deb
 eee630537317703e7e92a93267d24322 2006588 java extra libsidl1.4.0-java_1.4.0.dfsg-5_all.deb
 723940f855b055ae34f3c1c639708622 1021906 doc extra babel-doc_1.4.0.dfsg-5_all.deb
 12d5bdb04f76e0c20abc61f67ecf6f8b 3141888 python extra python-sidl_1.4.0.dfsg-5_amd64.deb
 fbb096b88042f0547cc140c65eb7b453 6888124 libdevel extra libsidl-dev_1.4.0.dfsg-5_amd64.deb
 4a86e54e5d5a94befbde31f802210173 3853476 libs extra libsidl-1.4.0_1.4.0.dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksdo2AACgkQUm8B6FZO5LZKXQCfcVqYx7cmmjstoNGUB+yK4gg3
4SwAnjQCCQPMK6MRD5bZU12yZ/b9OYlm
=ml/k
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, hazelsct@debian.org (Adam C. Powell, IV):
Bug#559843; Package babel. (Sat, 12 Dec 2009 23:10:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to hazelsct@debian.org (Adam C. Powell, IV). (Sat, 12 Dec 2009 23:10:11 GMT) Full text and rfc822 format available.

Message #15 received at 559843@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, hazelsct@debian.org (Adam C. Powell, IV):
Bug#559843; Package babel. (Tue, 15 Dec 2009 18:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adam C Powell IV <hazelsct@debian.org>:
Extra info received and forwarded to list. Copy sent to hazelsct@debian.org (Adam C. Powell, IV). (Tue, 15 Dec 2009 18:54:03 GMT) Full text and rfc822 format available.

Message #20 received at 559843@bugs.debian.org (full text, mbox):

From: Adam C Powell IV <hazelsct@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 559834@bugs.debian.org, 559843@bugs.debian.org
Subject: Re: Bug#559843: CVE-2009-3736 update
Date: Tue, 15 Dec 2009 13:46:57 -0500
[Message part 1 (text/plain, inline)]
Hello Michael,

FYI, for Babel and Hypre (559834 and 559843), I noticed before uploading
that the fixed ltdl.c and .h weren't automatically included.  For that
reason, babel uses libtoolize --force, and I verified that the new
sources were there in the build tree.  For hypre I had to actually copy
in ltdl.c and .h to the build tree in debian/rules, because it doesn't
use a standard autoconf system.

Rest assured both bugs are thoroughly dead in unstable.  I'll open new
bugs for stable and oldstable.

BTW, on mips (and no other platform) something is wrong causing babel to
FTBFS: it reports a version mismatch between libtool 2.2.6a-4 and
LT_INIT from 2.2.6b.  Are libtool and libltdl-dev out of sync on mips
(or were they two days ago)?

Thanks for following up on this.

-Adam

On Sat, 2009-12-12 at 18:07 -0500, Michael Gilbert wrote:
> Hi all,
> 
> It has come to my attention that a lot of maintainers are simply adding
> a build-depends on libltdl3-dev to try to solve this problem.  This is
> not a sufficient solution since your package will still use the
> embedded libtool code copy.  You need to add '--without-included-ltdl'
> to your configure arguments to do this right.
> 
> A verification, but not really a sufficient proof, is that 
> 'ldd <your binaries>' shows that the system libtool is being used.
> 
> On another note, if your package is affected in either stable or
> oldstable, it also must be fixed.  The security team has determined
> that this issue is not sufficiently severe to warrant DSAs for the
> embedding packages, so instead, you should coordinate a proposed-update
> with the release team.
> 
> Once you have fixed the problem in unstable (or even before that if
> you desire), please open new bugs for stable/oldstable to track the
> problem there (if your package is affected).
> 
> Thank you for working on this issue.
> 
> Mike
-- 
GPG fingerprint: D54D 1AEE B11C CE9B A02B  C5DD 526F 01E8 564E E4B6

Engineering consulting with open source tools
http://www.opennovation.com/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, hazelsct@debian.org ("Adam C. Powell, IV"):
Bug#559843; Package babel. (Sat, 19 Feb 2011 22:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to hazelsct@debian.org ("Adam C. Powell, IV"). (Sat, 19 Feb 2011 22:57:08 GMT) Full text and rfc822 format available.

Message #25 received at 559843@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 559843@bugs.debian.org
Subject: Re: Bug#559843: CVE-2009-3736 local privilege escalation
Date: Sat, 19 Feb 2011 22:54:53 +0000
[Message part 1 (text/plain, inline)]
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)

Please arrange to backport your fix and liase with the release team for
permission to upload. I will happily assist you if the patch is
straightforward and you need help or lack time.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Mar 2011 07:39:55 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Fri, 02 Sep 2011 23:27:03 GMT) Full text and rfc822 format available.

Added tag(s) lenny. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Fri, 02 Sep 2011 23:27:04 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Oct 2011 07:36:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:37:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.