On Tue, Dec 08, 2009 at 10:41:20AM +1100, Simon Horman wrote: > On Mon, Dec 07, 2009 at 11:12:32PM +1100, Simon Horman wrote: > > On Mon, Dec 07, 2009 at 12:11:07AM -0500, Michael Gilbert wrote: > > > Package: heartbeat > > > Severity: grave > > > Tags: security > > > > > > Hi, > > > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > > published for libtool. I see that heartbeat in unstable no longer > > > embeds libtool, but it appears that etch and lenny still have it. I am > > > not sure if it is actually used in the binary packages though. Please > > > check. If those packages are not affected, please close the bug. > > > > > > CVE-2009-3736[0]: > > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > > > | attempts to open a .la file in the current working directory, which > > > | allows local users to gain privileges via a Trojan horse file. > > > > > > Note that this problem also affects etch and lenny, so if your package > > > is affected, please coordinate with the security team to release the > > > DSA for the affected packages. > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE id in your changelog entry. > > > > > > For further information see: > > > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 > > > http://security-tracker.debian.org/tracker/CVE-2009-3736 > > > > Hi, > > > > Thanks for bringing this to my attention. > > > > First, for clarification, I believe the relevant packages that are > > potentially > > affected are: > > > > Etch (oldstable): heartbeat 1.2.5-3, heartbeat-2 2.0.7-2 > Etch-backports: 2.1.3-6~bpo40+2 > > Lenny (stable): heartbeat 2.1.3-6lenny4 > Lenny-backports: 2.1.4-7~bpo50+1 > > Squeeze (testing): heartbeat 2.1.4-7 > > Sid (unstable): heartbeat 2.1.4-7 > > Experimental: heartbeat 2.99.2+sles11r9-1 > > > > > > With reference to https://bugzilla.redhat.com/show_bug.cgi?id=537941, > > which seems to be the most comprehensive source of information on this topic > > from a coding point of view, I have noted the following: > > > > * In the Etch, Lenny, Sqeeze and Sid versions of heartbeat > > (and heartbeat-2) .la files are only provided in -dev packages, > > which I suspect would not ordinarily be installed. > > > > I am unsure of the status of this with regards to the Experimental > > version. > > > > * In the Etch version the only place that lt_dlopen*() appears to be called > > is inside the PILS library. And in a somewhat verbose way PILS ensures > > that the argument passed to lt_dlopen() is an absolute path which begins > > with /usr/lib/heartbeat/plugins (PLUGIN_DIR, set at compile time). > > > > I will verify this in the other versions. Probably tomorrow. > > The Etch, Etch-backports, Lenny and Lenny-backports versions > seem to share the property that lt_dlopen is always > passed a fully qualified path, and its always under > the somewhat secure directory /usr/lib/heartbeat > > * The Squeeze, Sid and Experimental versions do not use > their own ltdl. > > > With the latter point in mind I am suspecting that heartbeat > > (and heartbeat-2) is not vulnerable to this problem. I would > > greatly appreciate other opinions on this.
Ping: Any comment on this analysis? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
