Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 295535 (CVE-2009-3736) - <sys-devel/libtool-2.2.6b Insecure .la search path (CVE-2009-3736)
Summary: <sys-devel/libtool-2.2.6b Insecure .la search path (CVE-2009-3736)
Alias: CVE-2009-3736
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [noglsa]
Depends on: 294106
  Show dependency tree
Reported: 2009-12-03 08:59 UTC by Alex Legler (RETIRED)
Modified: 2014-05-31 22:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-03 08:59:54 UTC
CVE-2009-3736 (
  ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
  attempts to open a .la file in the current working directory, which
  allows local users to gain privileges via a Trojan horse file.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-05 21:40:56 UTC
Forgot to ask... base-system: can we go stable with 2.2.6b?
Comment 2 SpanKY gentoo-dev 2009-12-06 00:01:30 UTC
i'm not aware of any regressions that would prevent stabilization
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-06 00:05:16 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-07 05:56:32 UTC
Stable for HPPA.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2009-12-07 06:00:48 UTC
Stable media-sound/mpg123 first (bug 294106) because otherwise you'd be breaking the stable version... thanks :)
Comment 6 Tiago Cunha (RETIRED) gentoo-dev 2009-12-07 17:17:42 UTC
sparc stable
Comment 7 Markus Meier gentoo-dev 2009-12-07 23:03:45 UTC
amd64/arm/x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-12-08 15:19:18 UTC
ppc64 done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-09 14:52:56 UTC
Stable for PPC.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 17:46:18 UTC
alpha/ia64/m68k/s390/sh stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 20:28:04 UTC
GLSA request already filed.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 22:31:49 UTC
This issue has been fixed since Dec 09, 2009. No GLSA will be issued.