On Mon, Dec 07, 2009 at 12:11:07AM -0500, Michael Gilbert wrote: > Package: heartbeat > Severity: grave > Tags: security > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) id was > published for libtool. I see that heartbeat in unstable no longer > embeds libtool, but it appears that etch and lenny still have it. I am > not sure if it is actually used in the binary packages though. Please > check. If those packages are not affected, please close the bug. > > CVE-2009-3736[0]: > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > | attempts to open a .la file in the current working directory, which > | allows local users to gain privileges via a Trojan horse file. > > Note that this problem also affects etch and lenny, so if your package > is affected, please coordinate with the security team to release the > DSA for the affected packages. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 > http://security-tracker.debian.org/tracker/CVE-2009-3736
Hi, Thanks for bringing this to my attention. First, for clarification, I believe the relevant packages that are potentially affected are: Etch (oldstable): heartbeat 1.2.5-3, heartbeat-2 2.0.7-2 Lenny (stable): heartbeat 2.1.3-6lenny4 Squeeze (testing): heartbeat 2.1.4-7 Sid (unstable): heartbeat 2.1.4-7 Experimental: heartbeat 2.99.2+sles11r9-1 With reference to https://bugzilla.redhat.com/show_bug.cgi?id=537941, which seems to be the most comprehensive source of information on this topic from a coding point of view, I have noted the following: * In the Etch, Lenny, Sqeeze and Sid versions of heartbeat (and heartbeat-2) .la files are only provided in -dev packages, which I suspect would not ordinarily be installed. I am unsure of the status of this with regards to the Experimental version. * In the Etch version the only place that lt_dlopen*() appears to be called is inside the PILS library. And in a somewhat verbose way PILS ensures that the argument passed to lt_dlopen() is an absolute path which begins with /usr/lib/heartbeat/plugins (PLUGIN_DIR, set at compile time). I will verify this in the other versions. Probably tomorrow. With the latter point in mind I am suspecting that heartbeat (and heartbeat-2) is not vulnerable to this problem. I would greatly appreciate other opinions on this. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
