Bug#559811: marked as done (CVE-2009-3736 local privilege escalation)

[Debian Bug Tracking System]

Your message dated Thu, 10 Dec 2009 21:51:33 +0000
with message-id <e1niqv7-0000m0...@ries.debian.org>
and subject line Bug#559811: fixed in graphicsmagick 1.3.5-6
has caused the Debian Bug report #559811,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
559811: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559811
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: graphicsmagick
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

--- End Message ---

--- Begin Message ---

Source: graphicsmagick
Source-Version: 1.3.5-6

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/graphicsmagick-dbg_1.3.5-6_amd64.deb
graphicsmagick-imagemagick-compat_1.3.5-6_all.deb
  to main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.3.5-6_all.deb
graphicsmagick-libmagick-dev-compat_1.3.5-6_all.deb
  to main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.3.5-6_all.deb
graphicsmagick_1.3.5-6.diff.gz
  to main/g/graphicsmagick/graphicsmagick_1.3.5-6.diff.gz
graphicsmagick_1.3.5-6.dsc
  to main/g/graphicsmagick/graphicsmagick_1.3.5-6.dsc
graphicsmagick_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/graphicsmagick_1.3.5-6_amd64.deb
libgraphics-magick-perl_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/libgraphics-magick-perl_1.3.5-6_amd64.deb
libgraphicsmagick++1-dev_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/libgraphicsmagick++1-dev_1.3.5-6_amd64.deb
libgraphicsmagick++3_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/libgraphicsmagick++3_1.3.5-6_amd64.deb
libgraphicsmagick1-dev_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/libgraphicsmagick1-dev_1.3.5-6_amd64.deb
libgraphicsmagick3_1.3.5-6_amd64.deb
  to main/g/graphicsmagick/libgraphicsmagick3_1.3.5-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kob...@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 10 Dec 2009 22:00:16 +0100
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev 
libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl 
graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat 
graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.5-6
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kob...@debian.org>
Changed-By: Daniel Kobras <kob...@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing 
ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing 
ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ 
development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development 
files
 libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 533410 559811
Changes: 
 graphicsmagick (1.3.5-6) unstable; urgency=high
 .
   * debian/control: Build-depend on libltdl-dev to link with system-wide
     library. Avoid security bug in included convenience copy. (CVE-2009-3736)
     Closes: #559811
   * debian/control: Include libltdl-dev as a dependency to
     libgraphicsmagick3-dev.
   * debian/libgraphicsmagick3.symbols: Remove ltdl symbols that now get
     pulled in via a library dependency. Closes: #533410
Checksums-Sha1: 
 b06268a5412a19037000136fdd0bacef4c50c57c 1529 graphicsmagick_1.3.5-6.dsc
 a463bd1ebe22d25e273c307d625680b3c2ba9479 157282 graphicsmagick_1.3.5-6.diff.gz
 052a5bf8eebe4e91d9ea77b8b5160dda9c7f08f9 1141610 
graphicsmagick_1.3.5-6_amd64.deb
 d9bc749d5ca6d66a143295a23590392de4ba509a 1278222 
libgraphicsmagick3_1.3.5-6_amd64.deb
 96d3d20f5ee6c164738e77470faf49bcf4dc8bba 1767952 
libgraphicsmagick1-dev_1.3.5-6_amd64.deb
 b72e9b731c3edc600af3e9b81613ae355924d3bf 178150 
libgraphicsmagick++3_1.3.5-6_amd64.deb
 aa7726d274db73d978675552683b442948fbaa1f 466734 
libgraphicsmagick++1-dev_1.3.5-6_amd64.deb
 36cb961c7c4d19af7488662339551070a679e640 104370 
libgraphics-magick-perl_1.3.5-6_amd64.deb
 6ed958c29a128ad4e2cb16036f0692f76655aa27 2078614 
graphicsmagick-dbg_1.3.5-6_amd64.deb
 ccd3a48b77ea9803d29ccd8357792679c3ecc98f 14710 
graphicsmagick-imagemagick-compat_1.3.5-6_all.deb
 13ad9856a76e8bb32783420f2fa41e1fa0637175 18250 
graphicsmagick-libmagick-dev-compat_1.3.5-6_all.deb
Checksums-Sha256: 
 a198798bb2fdc3108e50c83f6648c1c766f13110776a8c08e408e450e3bb4f74 1529 
graphicsmagick_1.3.5-6.dsc
 c07208acc4a0801bc990bf0f4a7facd68a129a21b47ec28b2af1c7cd6b302add 157282 
graphicsmagick_1.3.5-6.diff.gz
 fa9a5221e8da0fa6109e028f40e8d863ef4df719aad6cb3a3353f459a625b102 1141610 
graphicsmagick_1.3.5-6_amd64.deb
 a9442672023673f33d109afec5742da5fd5664b6d88111c9d7c890d3039ed491 1278222 
libgraphicsmagick3_1.3.5-6_amd64.deb
 55bc40469d784e22e17f6054be6114bd87a6187844c69b5fd103eab62e1eef64 1767952 
libgraphicsmagick1-dev_1.3.5-6_amd64.deb
 16109c78ee9ca3895e901262b83b5dfed6297ef792311c5f796256c3a4cda5b8 178150 
libgraphicsmagick++3_1.3.5-6_amd64.deb
 ec9dec490056c8dfcc8c0e87759195665c97294907ba612ba3dd009f970d897f 466734 
libgraphicsmagick++1-dev_1.3.5-6_amd64.deb
 d75421b7f4963a320bdc2bfbe826298361fc014e68d5dadcbbda24bc8e8d32fc 104370 
libgraphics-magick-perl_1.3.5-6_amd64.deb
 182a51afe2a7df967227fd31827d56ff45857e20097cc4a4a8bbf48456bc7200 2078614 
graphicsmagick-dbg_1.3.5-6_amd64.deb
 740626f8b23e557a0f03a43d726cc7b6fbc4ff4751a6be73996918044e4df01d 14710 
graphicsmagick-imagemagick-compat_1.3.5-6_all.deb
 39d02c7bda2a8148071f80294d9f5c02844cbf82e03f9f4b4749fe87656eae03 18250 
graphicsmagick-libmagick-dev-compat_1.3.5-6_all.deb
Files: 
 6e48a640493f7990292fa915730e1c29 1529 graphics optional 
graphicsmagick_1.3.5-6.dsc
 d9f34020160857833b89903b6c32aecb 157282 graphics optional 
graphicsmagick_1.3.5-6.diff.gz
 8e0156d08cf7c987e7f21e96180e891a 1141610 graphics optional 
graphicsmagick_1.3.5-6_amd64.deb
 006dd3de7e3359e3afdd725388d1f451 1278222 libs optional 
libgraphicsmagick3_1.3.5-6_amd64.deb
 7eafec5f13e8f0e54781984db263ee66 1767952 libdevel optional 
libgraphicsmagick1-dev_1.3.5-6_amd64.deb
 0546056a6192396d4af2f4a4404463cd 178150 libs optional 
libgraphicsmagick++3_1.3.5-6_amd64.deb
 22291bf8c875be91b91fe2577e7a7c43 466734 libdevel optional 
libgraphicsmagick++1-dev_1.3.5-6_amd64.deb
 e8026512d13b4da21cca22b3f8854d5f 104370 perl optional 
libgraphics-magick-perl_1.3.5-6_amd64.deb
 262142a9f485882cd5f0ed6ce8c3ee0e 2078614 debug extra 
graphicsmagick-dbg_1.3.5-6_amd64.deb
 5b25692b09b891c7ffd3cb5a8ccf4c5a 14710 graphics extra 
graphicsmagick-imagemagick-compat_1.3.5-6_all.deb
 e50520560c4bb98c2d904b9a7755f448 18250 graphics extra 
graphicsmagick-libmagick-dev-compat_1.3.5-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkshZ3AACgkQpOKIA4m/fiuCLgCgyVf8LVzPnvwcrEEZvAoUbVcA
4kgAn3We7I7bq32FKcUXpVS/8PCBkT0J
=xHrJ
-----END PGP SIGNATURE-----

--- End Message ---