299419 – <net-misc/siproxd-0.8.0-r1: bundles an internal copy of libltdl (CVE-2009-3736)

Bug 299419 - <net-misc/siproxd-0.8.0-r1: bundles an internal copy of libltdl (CVE-2009-3736)

Summary: <net-misc/siproxd-0.8.0-r1: bundles an internal copy of libltdl (CVE-2009-3736)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	303697 308495
Blocks:	bundled-libs
	Show dependency tree

Reported:	2010-01-03 00:20 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2010-11-21 16:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2010-01-03 00:20:18 UTC

As usual, this might be vulnerable to the <2.2.0b libtool security issue.

Comment 1 Chí-Thanh Christopher Nguyễn gentoo-dev

2010-02-28 19:58:46 UTC

This is CVE-2009-3736
Fixed (both the vulnerability and use of internal libltdl) in siproxd-0.8.0

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2010-03-03 11:30:15 UTC

Ping. Why do we have vulnerable version still in stable?

siproxd-0.5.13.ebuild:KEYWORDS="amd64 x86"
siproxd-0.7.0.ebuild:KEYWORDS="amd64 x86"
siproxd-0.7.1.ebuild:KEYWORDS="~amd64 ~x86"
siproxd-0.8.0.ebuild:KEYWORDS="~amd64 ~x86"

Adding amd64, x86. If it doesn't work, this will be lastrited.

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2010-03-03 11:35:22 UTC

(In reply to comment #2)
> Ping. Why do we have vulnerable version still in stable?

 Is 0.8.0 not affected?

Comment 4 Samuli Suominen (RETIRED) gentoo-dev

2010-03-03 11:38:25 UTC

(In reply to comment #3)
> (In reply to comment #2)
> > Ping. Why do we have vulnerable version still in stable?
> 
>  Is 0.8.0 not affected?
> 

Comment #1 and ebuild seems to suggest so: sed -i 's/libltdl //' Makefile.in Makefile.am

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2010-03-03 12:17:32 UTC

x86 stable

Comment 6 Marcel Pennewiß 2010-03-04 11:54:01 UTC

(In reply to comment #5)
> x86 stable

This version segfaults on our x86-server.

emerge --info:
Portage 2.1.7.16 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.16-gentoo-r9 i686)
=================================================================                                  
System uname: Linux-2.6.16-gentoo-r9-i686-Intel-R-_Pentium-R-_III_CPU_family_1266MHz-with-gentoo-1.12.13
Timestamp of tree: Sun, 28 Feb 2010 23:15:01 +0000                                                      
app-shells/bash:     4.0_p35                                                                            
dev-lang/python:     2.4.6, 2.5.4-r4, 2.6.4-r1                                                          
dev-python/pycrypto: 2.1.0_beta1
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.1.2, 4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo-portage.ipv6.tu-ilmenau.de/mirror/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://gentoo-portage.ipv6.tu-ilmenau.de/gentoo-portage"
USE="acl alsa bzip2 cli cracklib crypt cups cxx dri fortran gd gpm iconv ipv6 mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd pthreads python readline reflection session spl sse ssl sysfs tcpd threads unicode x86 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Further tests are no problem because siproxy is not a testing service on this server ;)

Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev

2010-03-06 07:14:37 UTC

(In reply to comment #6)

Can you provide more information about the crash, such as when it happens and a stack trace in a separate bug, and make it block this one? Thanks.

Comment 8 Marcel Pennewiß 2010-03-08 18:50:05 UTC

> Can you provide more information about the crash, such as when it happens and a
> stack trace in a separate bug, and make it block this one? Thanks.

siproxd-0.8.0 segfaults also on amd64 with example config. bugreport follows asap.

Comment 9 Pacho Ramos gentoo-dev

2010-06-18 18:24:56 UTC

Feel free to add us back when bug 308495 is solved

Comment 10 Samuli Suominen (RETIRED) gentoo-dev

2010-06-18 18:31:07 UTC

(In reply to comment #9)
> Feel free to add us back when bug 308495 is solved
> 

stable amd64 keyword dropped then. moving to security@, dunno if they want glsa for these libltdl bugs or not.

Comment 11 Chí-Thanh Christopher Nguyễn gentoo-dev

2010-06-19 15:36:48 UTC

Arches, please stabilize net-misc/siproxd-0.8.0-r1 which has a fix for bug 308495.

Target keywords: amd64 x86

Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-06-20 09:43:13 UTC

x86 stable

Comment 13 Marcel Pennewiß 2010-06-21 08:52:44 UTC

(In reply to comment #11)
> Arches, please stabilize net-misc/siproxd-0.8.0-r1 which has a fix for bug
> 308495.
> 
> Target keywords: amd64 x86

If siproxd-0.8.0 still contains bug #308495 it should be removed from portage...

Comment 14 Chí-Thanh Christopher Nguyễn gentoo-dev

2010-06-21 09:01:25 UTC

siproxd-0.8.0 will be removed when 0.8.0-r1 is stable on all arches.

Comment 15 Markus Meier gentoo-dev

2010-06-21 20:14:53 UTC

amd64 stable, all arches done.

Comment 16 Tim Sammut (RETIRED) gentoo-dev

2010-11-20 17:30:52 UTC

GLSA Vote: no.

Comment 17 Stefan Behte (RETIRED) gentoo-dev

2010-11-21 16:31:42 UTC

Vote: NO, closing noglsa.