Bug 295429

Summary:

=media-gfx/graphicsmagick-1.3.7: ltdl.c in libltts to open a .la file in the current working directory (CVE-2009-3736)dl attemp

Product:

Gentoo Security

Reporter:

Arseny Solokha <asolokha>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog

Whiteboard:

~1 [noglsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
The fix	none

Description Arseny Solokha 2009-12-02 11:59:20 UTC

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736

CVE-2009-3736 is currently under review, but there's a fix for this issue in project's CVS HEAD. Attached path could be applied against GraphicsMagick 1.3.7.

Reproducible: Always

Steps to Reproduce:

Comment 1 Arseny Solokha 2009-12-02 12:01:21 UTC

Created attachment 211756 [details, diff]
The fix

This patch upgrades version of libltdl which comes with GraphicsMagick to 2.2.6b.

Comment 2 Arseny Solokha 2010-01-24 16:05:51 UTC

This patch has been added to the portage tree on January 11, 2009. Should this bug be closed now?

Comment 3 Arseny Solokha 2010-02-22 17:56:39 UTC

GraphicsMagick 1.3.7 has been removed from the Portage tree on February 14, 2010. Newer versions have this bug fixed. This report is quite objectless now and should be closed.

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2010-04-10 16:15:12 UTC

Closing NOGLSA, as there never was a stable version.