Your message dated Sun, 03 Jan 2010 02:14:55 +0000
with message-id <e1nrfzb-0003v3...@ries.debian.org>
and subject line Bug#559797: fixed in libtool 1.5.26-4+lenny1
has caused the Debian Bug report #559797,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libtool
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so please
coordinate with the security team to release a DSA.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libtool
Source-Version: 1.5.26-4+lenny1
We believe that the bug you reported is fixed in the latest version of
libtool, which is due to be installed in the Debian FTP archive:
libltdl3-dev_1.5.26-4+lenny1_i386.deb
to main/libt/libtool/libltdl3-dev_1.5.26-4+lenny1_i386.deb
libltdl3_1.5.26-4+lenny1_i386.deb
to main/libt/libtool/libltdl3_1.5.26-4+lenny1_i386.deb
libtool-doc_1.5.26-4+lenny1_all.deb
to main/libt/libtool/libtool-doc_1.5.26-4+lenny1_all.deb
libtool_1.5.26-4+lenny1.diff.gz
to main/libt/libtool/libtool_1.5.26-4+lenny1.diff.gz
libtool_1.5.26-4+lenny1.dsc
to main/libt/libtool/libtool_1.5.26-4+lenny1.dsc
libtool_1.5.26-4+lenny1_i386.deb
to main/libt/libtool/libtool_1.5.26-4+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <michael.s.gilb...@gmail.com> (supplier of updated libtool
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 12 Dec 2009 14:33:54 -0500
Source: libtool
Binary: libtool libtool-doc libltdl3 libltdl3-dev
Architecture: source all i386
Version: 1.5.26-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Kurt Roeckx <k...@roeckx.be>
Changed-By: Michael Gilbert <michael.s.gilb...@gmail.com>
Description:
libltdl3 - A system independent dlopen wrapper for GNU libtool
libltdl3-dev - A system independent dlopen wrapper for GNU libtool
libtool - Generic library support script
libtool-doc - Generic library support script
Closes: 559797
Changes:
libtool (1.5.26-4+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fixes local privilege escalation vulnerability: CVE-2009-3736
(closes: #559797).
Checksums-Sha1:
b7b5d26aa00e0ea318661d49a4dad5a3472df777 1158 libtool_1.5.26-4+lenny1.dsc
4c1738351736562a951a345e24f233d00953ec0a 2961939 libtool_1.5.26.orig.tar.gz
471e01aa324b1453ab4dd2390885bd530d246737 15298 libtool_1.5.26-4+lenny1.diff.gz
4ca72941d147f83d809e9fd0f2a075607ed280a5 353398
libtool-doc_1.5.26-4+lenny1_all.deb
614be810b51c9b7b9ce8fc8da2f0c76eeb20e009 340266
libtool_1.5.26-4+lenny1_i386.deb
2e642523da0b3b9dcaca7c2e62bd6699cd880a58 177256
libltdl3_1.5.26-4+lenny1_i386.deb
4a8c646d907a0410852af0889ac4e994302f6bd0 371688
libltdl3-dev_1.5.26-4+lenny1_i386.deb
Checksums-Sha256:
f3e19afe7fd8e286c3b49c308d8f1c0a494d24a4bccf3feaf7409be5d886dced 1158
libtool_1.5.26-4+lenny1.dsc
1c35ae34fe85aa167bd7ab4bc9f477fe019138e1af62678d952fc43c0b7e2f09 2961939
libtool_1.5.26.orig.tar.gz
ecdfb355111d0d1a38fa33c1dd27dc526703dc208637a78264be4ab245822ebe 15298
libtool_1.5.26-4+lenny1.diff.gz
08e793094ee604207129e8c0856a344865f2ef09dc2d293a00150769cb5f608d 353398
libtool-doc_1.5.26-4+lenny1_all.deb
0c0377e706adaf0156cbc4e11d71c446a730dada8d66ad640d01b55eef40a6ae 340266
libtool_1.5.26-4+lenny1_i386.deb
276bc8fceabc4b937e8a1fe0947ad953f47eeab09da979f20f9e5b4ce97622ab 177256
libltdl3_1.5.26-4+lenny1_i386.deb
b5790528903440a3b1d7eff1a89ee18703edd3b54ae5cdaa8e8323306d3d4314 371688
libltdl3-dev_1.5.26-4+lenny1_i386.deb
Files:
2c0110d02430920cefe418c00b08e5a3 1158 devel optional
libtool_1.5.26-4+lenny1.dsc
aa9c5107f3ec9ef4200eb6556f3b3c29 2961939 devel optional
libtool_1.5.26.orig.tar.gz
7895536891fe733289193346f1211b1f 15298 devel optional
libtool_1.5.26-4+lenny1.diff.gz
00fdb1c5aacbe2bfd76e974072cecd92 353398 doc optional
libtool-doc_1.5.26-4+lenny1_all.deb
56f624655ef5e058047a9f371260b70d 340266 devel optional
libtool_1.5.26-4+lenny1_i386.deb
d719aec237df6bc5b8d750dec91cbef2 177256 libs optional
libltdl3_1.5.26-4+lenny1_i386.deb
296a45a98910fbf8210ebdddd7a32d3d 371688 libdevel optional
libltdl3-dev_1.5.26-4+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksobN0ACgkQYy49rUbZzlrTugCeLgKAPdLiPg27uCuMgcJPsIR6
mUQAnjjX50JQum/uJjGDwNcwM3zD2q5W
=URzy
-----END PGP SIGNATURE-----
--- End Message ---
