On Tue, 8 Dec 2009 04:23:41 pm Michael Gilbert wrote: > On Tue, 8 Dec 2009 03:13:06 +1100, Steffen Joeris wrote: > > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > > > > published for libtool. I have determined that this package embeds > > > > > a vulnerable copy of the libtool source code. However, since this > > > > > is a mass bug filing (due to so many packages embedding libtool), I > > > > > have not had time to determine whether the vulnerable code is > > > > > actually present in any of the binary packages. Please determine > > > > > whether this is the case. If the package is not affected, please > > > > > feel free to close the bug with a message containing the details of > > > > > what you did to check. > > > > > > > > > > CVE-2009-3736[0]: > > > > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > > > > > | attempts to open a .la file in the current working directory, > > > > > | which allows local users to gain privileges via a Trojan horse > > > > > | file. > > > > > > > > > > Note that this problem also affects etch and lenny, so if your > > > > > package is affected, please coordinate with the security team to > > > > > release the DSA for the affected packages. > > > > Is this different to all these python modules that include the working > > directory? When I had a quick look it smelled like these once, in which > > case none of the packages probably deserves a DSA and they can all be > > fixed through s-p-u/o-s-p-u (and can be urgency 'slow'), but I thought > > I'd ask first in case I misunderstood the issue. > > So, as i interpret the issue, the difference here is that libtool will > load any and all .la and .a file available on the LD_LOAD_LIBRARY path; > whereas python will load modules in the current directory only if they > are specifically called from the script. > > I have just recently realized that LD_LOAD_LIBRARY has a relatively > safe default that does not include the current working directory. > Given this fact, I believe that the impact is rather limited (only > users that have modified that LD_LOAD_LIBRARY path are affected; and > i'm sure there are those who have done this, but it is a minor subset > of all debian users). > > Hence, I think that for any package embedding libtool, updates should > be pushed in stable-proposed-updates, rather than DSAs. As for libtool > itself, it may still make sense to issue a DSA. > > If there is concurrence on this assessment, I will send a message along > these lines to all of the bugs that I submitted. Please do so, if the packages have an embedded code copy and do not link against libtool.
Cheers Steffen -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
