Summary: | <media-tv/dvbstreamer-1.1-r1: ships a vulnerable copy of libtool (CVE-2009-3736) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-tv, rogerx.oss |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://sourceforge.net/tracker/?func=detail&aid=2951692&group_id=164687&atid=832723 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 252404 | ||
Bug Blocks: |
Description
Samuli Suominen (RETIRED)
2010-01-27 17:26:03 UTC
Moving to security because of, *dvbstreamer-1.1-r1 (03 Feb 2010) 03 Feb 2010; Samuli Suominen <ssuominen@gentoo.org> +dvbstreamer-1.1-r1.ebuild, +files/dvbstreamer-1.1-libtool.patch: Use system libtool wrt #252404, thanks to Diego E. 'Flameeyes' Pettenò for reporting. Before this it was bundling a vulnerable copy of libtool. Also adding arch's. x86 stable By vulnerable I mean bug 295535 (CVE-2009-3736) amd64 stable GLSA request filed. Can this bug be closed with the new dvbstreamer-2.1.0.ebuild submission being posted to bug #349457? Or is proposed dvbstreamer-2.1.0.ebuild attached to bug #349457 vulnerable as well?? Does calling autoreconf -i alleviate this security issue? This bug is already solved in 1.1-r1 and any later versions (upstream switched to using system libltdl). It's only open because we are waiting for the glsa. This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |