Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 302478 - <media-tv/dvbstreamer-1.1-r1: ships a vulnerable copy of libtool (CVE-2009-3736)
Summary: <media-tv/dvbstreamer-1.1-r1: ships a vulnerable copy of libtool (CVE-2009-3736)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/tracker/?func=...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 252404
Blocks:
  Show dependency tree
 
Reported: 2010-01-27 17:26 UTC by Samuli Suominen (RETIRED)
Modified: 2014-12-12 00:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2010-01-27 17:26:03 UTC
Because of this,

  10 Aug 2009; Samuli Suominen <ssuominen@gentoo.org>
  dvbstreamer-1.1.ebuild, +files/dvbstreamer-1.1-Werror.patch:
  Fix building with GCC 4.4+ by removing -Werror wrt #260919.

It should go stable soon as possible for future GCC 4.4.x stabilization
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-02-03 10:42:15 UTC
Moving to security because of,

*dvbstreamer-1.1-r1 (03 Feb 2010)

  03 Feb 2010; Samuli Suominen <ssuominen@gentoo.org>
  +dvbstreamer-1.1-r1.ebuild, +files/dvbstreamer-1.1-libtool.patch:
  Use system libtool wrt #252404, thanks to Diego E. 'Flameeyes' Pettenò
  for reporting.

Before this it was bundling a vulnerable copy of libtool.

Also adding arch's.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-07 10:20:40 UTC
x86 stable
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2010-02-07 10:35:59 UTC
By vulnerable I mean bug 295535 (CVE-2009-3736)
Comment 4 Pacho Ramos gentoo-dev 2010-02-09 15:19:47 UTC
amd64 stable
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 20:29:24 UTC
GLSA request filed.
Comment 7 Roger 2011-11-17 14:36:50 UTC
Can this bug be closed with the new dvbstreamer-2.1.0.ebuild submission being posted to bug #349457?

Or is proposed dvbstreamer-2.1.0.ebuild attached to bug #349457 vulnerable as well??

Does calling autoreconf -i alleviate this security issue?
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2011-11-17 15:24:31 UTC
This bug is already solved in 1.1-r1 and any later versions (upstream switched to using system libltdl).  It's only open because we are waiting for the glsa.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:29:42 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).