[Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation
Sylvestre Ledru
sylvestre at debian.org
Mon Dec 7 08:30:40 UTC 2009
Manuel, are you going to handle this issue or do you want me to do it ?
Thanks
Sylvestre
Le lundi 07 décembre 2009 à 00:06 -0500, Michael Gilbert a écrit :
> Package: openmpi
> Severity: grave
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool. I have determined that this package embeds a
> vulnerable copy of the libtool source code. However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the binary packages are not affected, please feel free to close
> the bug with a message containing the details of what you did to check.
>
> CVE-2009-3736[0]:
> | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> | attempts to open a .la file in the current working directory, which
> | allows local users to gain privileges via a Trojan horse file.
>
> Note that this problem also affects etch and lenny, so if your package
> is affected, please coordinate with the security team to release the
> DSA for the affected packages.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
> http://security-tracker.debian.org/tracker/CVE-2009-3736
>
>
>
More information about the Pkg-openmpi-maintainers
mailing list