Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 295535 (CVE-2009-3736)

Summary: <sys-devel/libtool-2.2.6b Insecure .la search path (CVE-2009-3736)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=537941
Whiteboard: A2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 294106    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-03 08:59:54 UTC
CVE-2009-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736):
  ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
  attempts to open a .la file in the current working directory, which
  allows local users to gain privileges via a Trojan horse file.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-05 21:40:56 UTC
Forgot to ask... base-system: can we go stable with 2.2.6b?
Comment 2 SpanKY gentoo-dev 2009-12-06 00:01:30 UTC
i'm not aware of any regressions that would prevent stabilization
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-06 00:05:16 UTC
Arches, please test and mark stable:
=sys-devel/libtool-2.2.6b
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-07 05:56:32 UTC
Stable for HPPA.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2009-12-07 06:00:48 UTC
Stable media-sound/mpg123 first (bug 294106) because otherwise you'd be breaking the stable version... thanks :)
Comment 6 Tiago Cunha (RETIRED) gentoo-dev 2009-12-07 17:17:42 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2009-12-07 23:03:45 UTC
amd64/arm/x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-12-08 15:19:18 UTC
ppc64 done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-09 14:52:56 UTC
Stable for PPC.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 17:46:18 UTC
alpha/ia64/m68k/s390/sh stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 20:28:04 UTC
GLSA request already filed.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 22:31:49 UTC
This issue has been fixed since Dec 09, 2009. No GLSA will be issued.