Your message dated Sun, 13 Dec 2009 12:13:38 +0100
with message-id <[email protected]>
and subject line
has caused the Debian Bug report #559842,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559842
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: proftpd-dfsg
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Package: proftpd-dfsg
Version: 1.3.0-1
As already communicated to secteam on friday, this issue does not
apply even with old versions, because external modules are taken from the
/usr/lib/proftpd directory only in mod_dso.c. So, using or not the internal
liblt
library is not a problem in current and old versions of proftpd (when DSO
modules
are used, which is the default since 1.3.0).
Also, 1.3.2c1 does apply the patch below, which appears sufficient enough
to fix 2.2.4 in the current embedded copy. So I did my homework ;-)
Index: ltdl.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/lib/libltdl/ltdl.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -u -r1.3 -r1.4
--- ltdl.c 17 Nov 2009 18:25:56 -0000 1.3
+++ ltdl.c 17 Nov 2009 18:46:58 -0000 1.4
@@ -529,7 +529,8 @@ find_module (lt_dlhandle *handle, const
/* Try to open the old library first; if it was dlpreopened,
we want the preopened version of it, even if a dlopenable
module is available. */
- if (old_name && tryall_dlopen (handle, old_name, advise, 0) == 0)
+ if (old_name && tryall_dlopen (handle, old_name,
+ advise, lt_dlloader_find ("lt_preopen") ) == 0)
{
return 0;
}
@@ -1345,7 +1346,7 @@ try_dlopen (lt_dlhandle *phandle, const
}
#endif
}
- if (!file)
+ else
{
file = fopen (attempt, LT_READTEXT_MODE);
}
--
Francesco P. Lovergine
--- End Message ---
