Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-09 Thread Guillem Jover
Hi! On Tue, 2009-12-08 at 10:23:41 -0500, Michael Gilbert wrote: > > CVE-2009-3736[0]: > > | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > > | attempts to open a .la file in the current working directory, which > > | allows local users to gain privileges via a Trojan horse fil

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Steffen Joeris
On Tue, 8 Dec 2009 04:23:41 pm Michael Gilbert wrote: > On Tue, 8 Dec 2009 03:13:06 +1100, Steffen Joeris wrote: > > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > > > > published for libtool. I have determined that this package embeds > > > > > a vulnerable copy of the li

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-08 Thread Michael Gilbert
On Tue, 8 Dec 2009 03:13:06 +1100, Steffen Joeris wrote: > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > > > published for libtool. I have determined that this package embeds a > > > > vulnerable copy of the libtool source code. However, since this is a > > > > mass bug

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Steve Langasek
On Mon, Dec 07, 2009 at 08:56:07AM +0100, Stefan Hornburg (Racke) wrote: > >CVE-2009-3736[0]: > >| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > >| attempts to open a .la file in the current working directory, which > >| allows local users to gain privileges via a Trojan horse

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Steffen Joeris
Hi > > > The following CVE (Common Vulnerabilities & Exposures) id was > > > published for libtool. I have determined that this package embeds a > > > vulnerable copy of the libtool source code. However, since this is a > > > mass bug filing (due to so many packages embedding libtool), I have n

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Michael Gilbert
On Mon, 07 Dec 2009 08:56:07 +0100, Stefan Hornburg (Racke) wrote: > Michael Gilbert wrote: > > Package: courier-authlib > > Severity: grave > > Tags: security > > > > Hi, > > > > The following CVE (Common Vulnerabilities & Exposures) id was > > published for libtool. I have determined that this

Re: Bug#559802: CVE-2009-3736 local privilege escalation

2009-12-07 Thread Stefan Hornburg (Racke)
Michael Gilbert wrote: Package: courier-authlib Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities & Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug fi