On Mon, Dec 07, 2009 at 11:12:32PM +1100, Simon Horman wrote:
> On Mon, Dec 07, 2009 at 12:11:07AM -0500, Michael Gilbert wrote:
> > Package: heartbeat
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for libtool. I see that heartbeat in unstable no longer
> > embeds libtool, but it appears that etch and lenny still have it. I am
> > not sure if it is actually used in the binary packages though. Please
> > check. If those packages are not affected, please close the bug.
> >
> > CVE-2009-3736[0]:
> > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> > | attempts to open a .la file in the current working directory, which
> > | allows local users to gain privileges via a Trojan horse file.
> >
> > Note that this problem also affects etch and lenny, so if your package
> > is affected, please coordinate with the security team to release the
> > DSA for the affected packages.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> > For further information see:
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
> > http://security-tracker.debian.org/tracker/CVE-2009-3736
>
> Hi,
>
> Thanks for bringing this to my attention.
>
> First, for clarification, I believe the relevant packages that are potentially
> affected are:
>
> Etch (oldstable): heartbeat 1.2.5-3, heartbeat-2 2.0.7-2
Etch-backports: 2.1.3-6~bpo40+2
> Lenny (stable): heartbeat 2.1.3-6lenny4
Lenny-backports: 2.1.4-7~bpo50+1
> Squeeze (testing): heartbeat 2.1.4-7
> Sid (unstable): heartbeat 2.1.4-7
> Experimental: heartbeat 2.99.2+sles11r9-1
>
>
> With reference to https://bugzilla.redhat.com/show_bug.cgi?id=537941,
> which seems to be the most comprehensive source of information on this topic
> from a coding point of view, I have noted the following:
>
> * In the Etch, Lenny, Sqeeze and Sid versions of heartbeat
> (and heartbeat-2) .la files are only provided in -dev packages,
> which I suspect would not ordinarily be installed.
>
> I am unsure of the status of this with regards to the Experimental version.
>
> * In the Etch version the only place that lt_dlopen*() appears to be called
> is inside the PILS library. And in a somewhat verbose way PILS ensures
> that the argument passed to lt_dlopen() is an absolute path which begins
> with /usr/lib/heartbeat/plugins (PLUGIN_DIR, set at compile time).
>
> I will verify this in the other versions. Probably tomorrow.
The Etch, Etch-backports, Lenny and Lenny-backports versions
seem to share the property that lt_dlopen is always
passed a fully qualified path, and its always under
the somewhat secure directory /usr/lib/heartbeat
* The Squeeze, Sid and Experimental versions do not use
their own ltdl.
> With the latter point in mind I am suspecting that heartbeat
> (and heartbeat-2) is not vulnerable to this problem. I would
> greatly appreciate other opinions on this.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
