Bug#559836: marked as done (CVE-2009-3736 local privilege escalation)

[Debian Bug Tracking System]

Your message dated Tue, 08 Dec 2009 15:39:17 +0000
with message-id <e1ni29l-0006vl...@ries.debian.org>
and subject line Bug#559836: fixed in openmpi 1.3.3-4
has caused the Debian Bug report #559836,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
559836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559836
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openmpi
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

--- End Message ---

--- Begin Message ---

Source: openmpi
Source-Version: 1.3.3-4

We believe that the bug you reported is fixed in the latest version of
openmpi, which is due to be installed in the Debian FTP archive:

libopenmpi-dbg_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi-dbg_1.3.3-4_amd64.deb
libopenmpi-dev_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi-dev_1.3.3-4_amd64.deb
libopenmpi1.3_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi1.3_1.3.3-4_amd64.deb
openmpi-bin_1.3.3-4_amd64.deb
  to main/o/openmpi/openmpi-bin_1.3.3-4_amd64.deb
openmpi-checkpoint_1.3.3-4_amd64.deb
  to main/o/openmpi/openmpi-checkpoint_1.3.3-4_amd64.deb
openmpi-common_1.3.3-4_all.deb
  to main/o/openmpi/openmpi-common_1.3.3-4_all.deb
openmpi-doc_1.3.3-4_all.deb
  to main/o/openmpi/openmpi-doc_1.3.3-4_all.deb
openmpi_1.3.3-4.diff.gz
  to main/o/openmpi/openmpi_1.3.3-4.diff.gz
openmpi_1.3.3-4.dsc
  to main/o/openmpi/openmpi_1.3.3-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Manuel Prinz <man...@debian.org> (supplier of updated openmpi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Dec 2009 00:58:02 +0100
Source: openmpi
Binary: openmpi-bin libopenmpi-dev libopenmpi1.3 openmpi-common openmpi-doc 
libopenmpi-dbg openmpi-checkpoint
Architecture: source amd64 all
Version: 1.3.3-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenMPI Maintainers 
<pkg-openmpi-maintain...@lists.alioth.debian.org>
Changed-By: Manuel Prinz <man...@debian.org>
Description: 
 libopenmpi-dbg - high performance message passing library -- debug library
 libopenmpi-dev - high performance message passing library -- header files
 libopenmpi1.3 - high performance message passing library -- shared library
 openmpi-bin - high performance message passing library -- binaries
 openmpi-checkpoint - high performance message passing library -- checkpoint 
support
 openmpi-common - high performance message passing library -- common files
 openmpi-doc - high performance message passing library -- man pages
Closes: 559836
Changes: 
 openmpi (1.3.3-4) unstable; urgency=medium
 .
   * Fixed security issue in copy of libtool, see CVE-2009-3736.
     Closes: #559836.
Checksums-Sha1: 
 b3ab7e772eb9075bd378c197de5c0be3671f76cd 1585 openmpi_1.3.3-4.dsc
 add0e08c0f5532a26dea91a112239663d0b42e64 22962 openmpi_1.3.3-4.diff.gz
 b49018cd4f726624bb86a50ddfdd5f86176d4736 139812 openmpi-bin_1.3.3-4_amd64.deb
 be3c4cb248c08967d96c755698292a91754d4a5a 2623272 
libopenmpi-dev_1.3.3-4_amd64.deb
 944c8889698f2294b8ff713fd416386a71b52dfd 1336690 
libopenmpi1.3_1.3.3-4_amd64.deb
 8dc02789d574cd919dd9217b7cf143cd98e10242 5552998 
libopenmpi-dbg_1.3.3-4_amd64.deb
 0d66efeef4ef12ec7686ec36ca551b664287c82a 79118 
openmpi-checkpoint_1.3.3-4_amd64.deb
 ff73e9055588b99a595eb323fb3d26723b0635f5 81844 openmpi-common_1.3.3-4_all.deb
 dae2dc29b8d792ed1d5b52ffb10e1ddfc5feebd5 461774 openmpi-doc_1.3.3-4_all.deb
Checksums-Sha256: 
 458ec132b5d93c628f78d3e87f52b45d1bc94b3757031eb74627b0aecba8d7ab 1585 
openmpi_1.3.3-4.dsc
 0b1d2275c48f2d5ec4f9a5f70413a4e5e887c8b90e4e4eda797df54881ab1280 22962 
openmpi_1.3.3-4.diff.gz
 4cb05d1b5c1370e8f900cd07a5333bfbbb5dd3b0603d601b88ffdd3e7b0cdaa5 139812 
openmpi-bin_1.3.3-4_amd64.deb
 8bdddbfc22887ca6c958616960e479f51b46fd6f9039f772236e85180f1f5f41 2623272 
libopenmpi-dev_1.3.3-4_amd64.deb
 eb4e0cabfce87d86cd208692d308e5c99f8f633796f54e10754ab0fbc2a0c2b5 1336690 
libopenmpi1.3_1.3.3-4_amd64.deb
 60d781b2fafceb30b7a8ac278e64cc50ec49f2ace1f02f228e5ef8f148639c2a 5552998 
libopenmpi-dbg_1.3.3-4_amd64.deb
 6814336e635074b785c4465e1f0cdffc72333811b45d987869fbb74d6c5517d2 79118 
openmpi-checkpoint_1.3.3-4_amd64.deb
 f632471ac093e16659bda9fc312e758bf8109193aabdd9e71570174c7a711ed0 81844 
openmpi-common_1.3.3-4_all.deb
 daf8052844eebbdfb32ca36b64edfe71eed9f58025bbefdc2c0c5d9024b51a8b 461774 
openmpi-doc_1.3.3-4_all.deb
Files: 
 2c47a5d49a72e43502e96e501f6a60f4 1585 net extra openmpi_1.3.3-4.dsc
 91a7210cd0a8ef923d46cc6e7d2c067e 22962 net extra openmpi_1.3.3-4.diff.gz
 0321887c00cd5f97feee692d8d09c595 139812 net extra openmpi-bin_1.3.3-4_amd64.deb
 8e8e6be08f5fa825850da64ccb1d37de 2623272 libdevel extra 
libopenmpi-dev_1.3.3-4_amd64.deb
 a4ac08b486bf5fc1bff6f18c7c6e283c 1336690 libs extra 
libopenmpi1.3_1.3.3-4_amd64.deb
 093896081441a09e69716fb828682e29 5552998 debug extra 
libopenmpi-dbg_1.3.3-4_amd64.deb
 3946ecce3efa5369af19aba2ae9e8e26 79118 net extra 
openmpi-checkpoint_1.3.3-4_amd64.deb
 946f07f5ca6776bec92551a265a5b3ad 81844 net extra openmpi-common_1.3.3-4_all.deb
 6e06e4165c5ad7dc838f37d4e8024e4a 461774 doc extra openmpi-doc_1.3.3-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkseYacACgkQ8WlhyMyNeVcvbgCfVnWBg+6KeqJpJclsNtmWg12p
lJIAoJ106piZbcXI9ZkxdBKb8XTCozff
=CmNn
-----END PGP SIGNATURE-----

--- End Message ---