On Mon, 07 Dec 2009 08:56:07 +0100, Stefan Hornburg (Racke) wrote: > Michael Gilbert wrote: > > Package: courier-authlib > > Severity: grave > > Tags: security > > > > Hi, > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > published for libtool. I have determined that this package embeds a > > vulnerable copy of the libtool source code. However, since this is a > > mass bug filing (due to so many packages embedding libtool), I have not > > had time to determine whether the vulnerable code is actually present > > in any of the binary packages. Please determine whether this is the > > case. If the package is not affected, please feel free to close the bug > > with a message containing the details of what you did to check. > > > > CVE-2009-3736[0]: > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > > | attempts to open a .la file in the current working directory, which > > | allows local users to gain privileges via a Trojan horse file. > > > > Note that this problem also affects etch and lenny, so if your package > > is affected, please coordinate with the security team to release the > > DSA for the affected packages. > > > > If you fix the vulnerability please also make sure to include the > > CVE id in your changelog entry. > > > > Is there a patch available for the vulnerability?
Yes, if you follow the link to the mitre page [0], which was included in the original bug report, you will find a link to the patches [1]. Best wishes, Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 [1] http://git.savannah.gnu.org/cgit/libtool.git/commit/?h=branch-1-5&id=29b48580df75f0c5baa2962548a4c101ec7ed7ec -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
