Your message dated Sat, 19 Dec 2009 19:47:26 +0000
with message-id <[email protected]>
and subject line Bug#559813: fixed in guile-1.6 1.6.8-7
has caused the Debian Bug report #559813,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559813: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559813
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: guile-1.6
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: guile-1.6
Source-Version: 1.6.8-7
We believe that the bug you reported is fixed in the latest version of
guile-1.6, which is due to be installed in the Debian FTP archive:
guile-1.6-dev_1.6.8-7_i386.deb
to main/g/guile-1.6/guile-1.6-dev_1.6.8-7_i386.deb
guile-1.6-doc_1.6.8-7_all.deb
to main/g/guile-1.6/guile-1.6-doc_1.6.8-7_all.deb
guile-1.6-libs_1.6.8-7_i386.deb
to main/g/guile-1.6/guile-1.6-libs_1.6.8-7_i386.deb
guile-1.6-slib_1.6.8-7_all.deb
to main/g/guile-1.6/guile-1.6-slib_1.6.8-7_all.deb
guile-1.6_1.6.8-7.diff.gz
to main/g/guile-1.6/guile-1.6_1.6.8-7.diff.gz
guile-1.6_1.6.8-7.dsc
to main/g/guile-1.6/guile-1.6_1.6.8-7.dsc
guile-1.6_1.6.8-7_i386.deb
to main/g/guile-1.6/guile-1.6_1.6.8-7_i386.deb
libguile-ltdl-1_1.6.8-7_i386.deb
to main/g/guile-1.6/libguile-ltdl-1_1.6.8-7_i386.deb
libqthreads-12_1.6.8-7_i386.deb
to main/g/guile-1.6/libqthreads-12_1.6.8-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <[email protected]> (supplier of updated guile-1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 18 Dec 2009 23:00:54 -0800
Source: guile-1.6
Binary: guile-1.6 guile-1.6-dev guile-1.6-doc guile-1.6-libs libqthreads-12
libguile-ltdl-1 guile-1.6-slib
Architecture: source all i386
Version: 1.6.8-7
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <[email protected]>
Changed-By: Rob Browning <[email protected]>
Description:
guile-1.6 - The GNU extension language and Scheme interpreter
guile-1.6-dev - Development files for Guile 1.6
guile-1.6-doc - Reference and tutorial documentation for Guile 1.6
guile-1.6-libs - Main Guile libraries
guile-1.6-slib - Guile SLIB support
libguile-ltdl-1 - Guile's patched version of libtool's libltdl
libqthreads-12 - QuickThreads library for Guile
Closes: 497740 501114 533269 553779 559813
Changes:
guile-1.6 (1.6.8-7) unstable; urgency=high
.
* Change dependency from libreadline5-dev to libreadline6-dev. Thanks
to Matthias Klose <[email protected]> for the 1.6 report. See also
#550131. (closes: #553779)
.
* Adjust libguile-ltdl to use the system libltdl in order to fix a
security risk (CVE-2009-3736). Older versions of ltdl (in this case
via the internal raw-ltdl.c) would attempt "to open a .la file in the
current working directory, which allows local users to gain privileges
via a Trojan horse file". See use-system-libltdl.diff. Thanks to
Michael Gilbert <[email protected]> for the report.
(closes: #559813)
.
* Add find-stack-direction.diff to fix a FTBFS on some architectures,
including hppa and powerpc. Thanks to Thiemo Seufer
<[email protected]> and Martin Zobel-Helas <[email protected]> for the
initial reports and patches, and Frank Lichtenheld <[email protected]>
and Cyril Brulebois <[email protected]> for the earlier 1.6.8-6.1 and
1.6.8-6.3 NMUs. (closes: #497740)
.
* Always use -O0 on sparc for now to fix a compilation problem with gcc
4.3. Thanks to Cyril Brulebois <[email protected]> for the 1.6.8-6.2
NMU. (closes: #501114).
.
* Fix FTBFS on kfreebsd-i386 by adding it to WORKING_QTHREADS_ARCHS in
debian/rules. Thanks to Petr Salinger <[email protected]> for
the fix, and Cyril Brulebois <[email protected]> for the 1.6.8-6.4 NMU.
(Closes: #533269).
Checksums-Sha1:
ed21026c4b94d1335be7281534019f3a028f2bab 1199 guile-1.6_1.6.8-7.dsc
16aaec4ff70cca4b976baa4641af7bcf5c9241a5 1271234 guile-1.6_1.6.8-7.diff.gz
cad02d41ca7a11e7736c670b396ae7beb6cbc92d 362626 guile-1.6-doc_1.6.8-7_all.deb
f9ae3dd060ff45e9bff34524be3aa122f83d0124 5336 guile-1.6-slib_1.6.8-7_all.deb
0bde9cab4f1c210f754cdd27451fcb11aeee8580 7886 guile-1.6_1.6.8-7_i386.deb
7591b67966a77552e9907fb17ab0139120fb3363 494680 guile-1.6-dev_1.6.8-7_i386.deb
2c6dca4f907e95e061069fc97682980cac54f3d6 602924 guile-1.6-libs_1.6.8-7_i386.deb
6796558804f18ec01b14982b5649e78f02be5c49 7202 libqthreads-12_1.6.8-7_i386.deb
af33cca2b03e9cfa443b24a961eff7f277bf3a35 7078 libguile-ltdl-1_1.6.8-7_i386.deb
Checksums-Sha256:
80354e38e939684dcb5ccb3c99f45fb4877f7604c5fd11d7e493ce8b265694d4 1199
guile-1.6_1.6.8-7.dsc
d719c59555308e4d458f4e37b08ceb80e84ef5a40f397d038f6edbc70e76a911 1271234
guile-1.6_1.6.8-7.diff.gz
86e9cedf111cdaef56cf90afa8f90bc0bd64acb220c11885d7baf4b3c22d7605 362626
guile-1.6-doc_1.6.8-7_all.deb
03483174a85c5600931ff7c322d8ac18a9401784fca2a9557361d88b1900e354 5336
guile-1.6-slib_1.6.8-7_all.deb
2a171b3a975cc1e1a7677f9bb1270ff0dbad55d568333f2700ffbad7268e54f7 7886
guile-1.6_1.6.8-7_i386.deb
6df01b8dc0e9eca9cea14e1101f23d008ad5e6dffa2da12032fa77bcb0de24e4 494680
guile-1.6-dev_1.6.8-7_i386.deb
c73080b6d43519e2553d936014bb7a62589b5f07ffea8e4fe052d52144316115 602924
guile-1.6-libs_1.6.8-7_i386.deb
8aed3542446a72b425b0d4ef687ec6540689e0d08f091ccc62a8fb437e4aa7d1 7202
libqthreads-12_1.6.8-7_i386.deb
636049f44bc1649d7db0fefa31be5dcf15de4b6813a0d658cba6de61228dba8a 7078
libguile-ltdl-1_1.6.8-7_i386.deb
Files:
69a2d0b27ebef56ba41ce18e2a54258a 1199 interpreters optional
guile-1.6_1.6.8-7.dsc
8fb81ea6dd24f591cfc0fd83f0d6991c 1271234 interpreters optional
guile-1.6_1.6.8-7.diff.gz
fa5ba406eb74872dc94904b81380785f 362626 doc optional
guile-1.6-doc_1.6.8-7_all.deb
3eaad92c582e677d93db71b9d7907205 5336 devel optional
guile-1.6-slib_1.6.8-7_all.deb
b08c266bf29cb70c1fc55e15426158a3 7886 interpreters optional
guile-1.6_1.6.8-7_i386.deb
a28d412598a797ad7b302e245eb136e3 494680 devel optional
guile-1.6-dev_1.6.8-7_i386.deb
60eab895eccc7795f95100ce9faa7658 602924 libs optional
guile-1.6-libs_1.6.8-7_i386.deb
1f0134f59504fe63074456602a2f891d 7202 libs optional
libqthreads-12_1.6.8-7_i386.deb
ca6919c0249a326f410a5090914955ed 7078 libs optional
libguile-ltdl-1_1.6.8-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkstKW4ACgkQJcjTd4x+c6QfyACgimpfAz9+GR95yoqyBWOu8xtc
KhEAn2Ctazx/rgq0zq8Qm6imVaOpVr4g
=ej89
-----END PGP SIGNATURE-----
--- End Message ---
