Your message dated Sun, 27 Dec 2009 15:21:11 +0000
with message-id <e1nouvf-0001hl...@ries.debian.org>
and subject line Bug#559819: fixed in libextractor 0.5.23+dfsg-4
has caused the Debian Bug report #559819,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559819: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559819
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libextractor
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libextractor
Source-Version: 0.5.23+dfsg-4
We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive:
extract_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/extract_0.5.23+dfsg-4_i386.deb
libextractor-dbg_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-dbg_0.5.23+dfsg-4_i386.deb
libextractor-dev_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-dev_0.5.23+dfsg-4_i386.deb
libextractor-plugins_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor-plugins_0.5.23+dfsg-4_i386.deb
libextractor1c2a_0.5.23+dfsg-4_i386.deb
to main/libe/libextractor/libextractor1c2a_0.5.23+dfsg-4_i386.deb
libextractor_0.5.23+dfsg-4.diff.gz
to main/libe/libextractor/libextractor_0.5.23+dfsg-4.diff.gz
libextractor_0.5.23+dfsg-4.dsc
to main/libe/libextractor/libextractor_0.5.23+dfsg-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <dan...@debian.org> (supplier of updated libextractor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 27 Dec 2009 14:44:18 +0100
Source: libextractor
Binary: libextractor1c2a libextractor-plugins libextractor-dbg libextractor-dev
extract
Architecture: source i386
Version: 0.5.23+dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Debian GNUnet Maintainers <gnu...@lists.debian-maintainers.org>
Changed-By: Daniel Baumann <dan...@debian.org>
Description:
extract - displays meta-data from files of arbitrary type
libextractor-dbg - extracts meta-data from files of arbitrary type (debug)
libextractor-dev - extracts meta-data from files of arbitrary type
(development)
libextractor-plugins - extracts meta-data from files of arbitrary type
(plugins)
libextractor1c2a - extracts meta-data from files of arbitrary type (library)
Closes: 559819
Changes:
libextractor (0.5.23+dfsg-4) unstable; urgency=low
.
* Adding explicit debian source version 1.0 until switch to 3.0.
* Adding patch from Vincent Danen <vda...@redhat.com> to fix flaw in
embedded libtool [CVE-2009-3736] (Closes: #559819).
Checksums-Sha1:
6b12ab472a2aeb628936afcb7da729c36599fa0f 1598 libextractor_0.5.23+dfsg-4.dsc
85c4d0eb5c4cedb82e4140d5c9d9543c18666908 7816
libextractor_0.5.23+dfsg-4.diff.gz
520efddb6576a29d4f5436db7f5d439145eef527 7588160
libextractor1c2a_0.5.23+dfsg-4_i386.deb
536a79b76daa6bc13d0977132f561a2f8b115f02 40606
libextractor-plugins_0.5.23+dfsg-4_i386.deb
8215b9d9cc82da2293c82b825aa1a53169bbda9d 417260
libextractor-dbg_0.5.23+dfsg-4_i386.deb
b6cded587a0d72f90094b05388ed0663fe478e00 22308
libextractor-dev_0.5.23+dfsg-4_i386.deb
4346e8ac06acf2fd79701eeabfa0b6f2e3ae53c0 86650 extract_0.5.23+dfsg-4_i386.deb
Checksums-Sha256:
53e3478d215202ed97673214eb17f8cd82124053a7e7d8bcb078d240ad730a99 1598
libextractor_0.5.23+dfsg-4.dsc
84da6666c46969c14f5811720ba91b7e55b1b4b537cfe07f7f36609d5b352f35 7816
libextractor_0.5.23+dfsg-4.diff.gz
84162fa0537109387c5a0bfe3cdbfdb5f74b35602444ae8616ece5d829ab16f1 7588160
libextractor1c2a_0.5.23+dfsg-4_i386.deb
90ea9c2abe616442ae3589c4adcf69ec143228015ae017a7f3d9280460bac06c 40606
libextractor-plugins_0.5.23+dfsg-4_i386.deb
f940af313240d2abd371840168f2babbfbbb3ed2a5d0e292c0a8513661c6c573 417260
libextractor-dbg_0.5.23+dfsg-4_i386.deb
f4fd38c271ab6c0fa1869d5e82aa8e878f5771b1553ff83beab3ed644319fce7 22308
libextractor-dev_0.5.23+dfsg-4_i386.deb
d947b52843d7f65536feac82f3fd537c7d3908d4bb7660d8cd328029042c4b5c 86650
extract_0.5.23+dfsg-4_i386.deb
Files:
ed872c1a97e2fb262c4b626cbbd1ac10 1598 libs optional
libextractor_0.5.23+dfsg-4.dsc
7c58a433abb9d6d8e5376413a6ddad74 7816 libs optional
libextractor_0.5.23+dfsg-4.diff.gz
68a783af138202827f2169cb24050998 7588160 libs optional
libextractor1c2a_0.5.23+dfsg-4_i386.deb
e60e636da63a86dc2db430ac68ebbe71 40606 libs optional
libextractor-plugins_0.5.23+dfsg-4_i386.deb
4ca130cb566facb7c6fd50f5bf6621aa 417260 debug extra
libextractor-dbg_0.5.23+dfsg-4_i386.deb
323191c098720a6347b520ffdc7af67e 22308 libdevel optional
libextractor-dev_0.5.23+dfsg-4_i386.deb
38820d3bcaaa76c8fb7479810b002c0b 86650 utils optional
extract_0.5.23+dfsg-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks3ZSoACgkQ+C5cwEsrK55srgCffzhOpUTJKI+0594Su0WLjY7R
Rq8AnjwNzj9KXuh1eJ3kAd6rGWiYoG+k
=FRGE
-----END PGP SIGNATURE-----
--- End Message ---
