Your message dated Wed, 24 Feb 2010 09:38:44 +0000
with message-id <[email protected]>
and subject line Bug#559821: fixed in libtunepimp 0.5.3-7.3
has caused the Debian Bug report #559821,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559821: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559821
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libtunepimp
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: libtunepimp
Source-Version: 0.5.3-7.3
We believe that the bug you reported is fixed in the latest version of
libtunepimp, which is due to be installed in the Debian FTP archive:
libtunepimp-dev_0.5.3-7.3_amd64.deb
to main/libt/libtunepimp/libtunepimp-dev_0.5.3-7.3_amd64.deb
libtunepimp5-dbg_0.5.3-7.3_amd64.deb
to main/libt/libtunepimp/libtunepimp5-dbg_0.5.3-7.3_amd64.deb
libtunepimp5_0.5.3-7.3_amd64.deb
to main/libt/libtunepimp/libtunepimp5_0.5.3-7.3_amd64.deb
libtunepimp_0.5.3-7.3.diff.gz
to main/libt/libtunepimp/libtunepimp_0.5.3-7.3.diff.gz
libtunepimp_0.5.3-7.3.dsc
to main/libt/libtunepimp/libtunepimp_0.5.3-7.3.dsc
python-tunepimp_0.5.3-7.3_all.deb
to main/libt/libtunepimp/python-tunepimp_0.5.3-7.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Zacchiroli <[email protected]> (supplier of updated libtunepimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 20 Feb 2010 14:01:43 +0100
Source: libtunepimp
Binary: libtunepimp-dev libtunepimp5 libtunepimp5-dbg python-tunepimp
Architecture: source amd64 all
Version: 0.5.3-7.3
Distribution: unstable
Urgency: low
Maintainer: Adam Cécile (Le_Vert) <[email protected]>
Changed-By: Stefano Zacchiroli <[email protected]>
Description:
libtunepimp-dev - MusicBrainz tagging library development files
libtunepimp5 - MusicBrainz tagging library
libtunepimp5-dbg - Debug symbols for libtunepimp5 library
python-tunepimp - Python bindings for MusicBrainz tagging library
Closes: 476378 559821
Changes:
libtunepimp (0.5.3-7.3) unstable; urgency=low
.
* Non-maintainer upload
* Link against system libltdl, instead of embedded and security flawed
version. Fix CVE CVE-2009-3736. Patch from Yavor Doganov.
(Closes: #559821)
* debian/patches: new patch 030-new-libmpcdec-API: port to new
libmpcdec API, patch from Yavor Doganov. (Closes: #476378)
* debian/control: add build-dep on libltdl-dev
* re-autotoolize (in diff, to avoid augmenting build-deps)
Checksums-Sha1:
9b6ebbed30297841bcff5637d69fb89e9f914460 1443 libtunepimp_0.5.3-7.3.dsc
7e4f78286cb0039c2e301593ca897ce41dca5dc0 1051238 libtunepimp_0.5.3-7.3.diff.gz
240b92dd23c7ace89eb3b7999546c950077c9eca 237224
libtunepimp-dev_0.5.3-7.3_amd64.deb
0010019558aef7fad471fd66effb95a6040c96f9 397914
libtunepimp5_0.5.3-7.3_amd64.deb
da8c066e41436a229d3215f4d1a5e0d53802f6ae 1298594
libtunepimp5-dbg_0.5.3-7.3_amd64.deb
0f49949e5f61d7b4b4cdf1aeebf6574d3570be49 18964
python-tunepimp_0.5.3-7.3_all.deb
Checksums-Sha256:
d75fb25086a25b738ff58353fde045da848ca6f0e1437c64b37e9d5ce978b9bf 1443
libtunepimp_0.5.3-7.3.dsc
e133d3037313c639b964666b8e289c4f0eb286cdf61d5a0c1a5e8c48ee5b076f 1051238
libtunepimp_0.5.3-7.3.diff.gz
dd4e00e919120c3e88720c0031e430f438b2c76239052dd46ce8e88a3185ee01 237224
libtunepimp-dev_0.5.3-7.3_amd64.deb
27d59a708d6f38ba1d4df1fc626300c37799075c8d6aba5613dfb34ff0e2664f 397914
libtunepimp5_0.5.3-7.3_amd64.deb
52379e9181665c88e8181b4e3708f1b412b07edbd79f47be8ca600c55c12c1a6 1298594
libtunepimp5-dbg_0.5.3-7.3_amd64.deb
ec8d95ae87a24ab090e8d738ee4824b3919b6acd6b71af7d32a720fdd3771401 18964
python-tunepimp_0.5.3-7.3_all.deb
Files:
3e2ee2b826a0e8e46a05325106154e2d 1443 libs optional libtunepimp_0.5.3-7.3.dsc
2714f19e00528beb6c0f01b2160de6f8 1051238 libs optional
libtunepimp_0.5.3-7.3.diff.gz
da3c33ecef729e40a4cba8e7b9d73c8a 237224 libdevel optional
libtunepimp-dev_0.5.3-7.3_amd64.deb
008ea57b3491925773d9e85cc8555321 397914 libs optional
libtunepimp5_0.5.3-7.3_amd64.deb
b5fec2701a8f23408f6694eedc800812 1298594 libs extra
libtunepimp5-dbg_0.5.3-7.3_amd64.deb
ecef76126819a5ad1401f1312e9afd8a 18964 python optional
python-tunepimp_0.5.3-7.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLgBmW1cqbBPLEI7wRAsB3AKDWW+5d8ksynWCfdwUEYfYWzCZ9kACdFBbD
ELdC4MOjFo3iM7K9xB82eYs=
=ZW2f
-----END PGP SIGNATURE-----
--- End Message ---