CVE-2009-3736

NameCVE-2009-3736
SourceCVE (at NVD; RH)
Descriptionltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
ReferencesDSA-1958-1
NVD severitymedium (attack range: local, user-initiated)
Debian Bugs559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845
Debian/oldstablepackages babel, camserv, clamav, collectd, cvsnt, ggobi, gnash, gnu-smalltalk, graphicsmagick, guile-1.6, hercules, hypre, lam, libannodex, libextractor, libtunepimp, mp4h, naim, openmpi, pinball, sdcc, siproxd, synfig are vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablepackage ski is vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
arts (PTS)lenny1.5.9-2fixed
squeeze1.5.9-3fixed
babel (PTS)lenny1.2.0.dfsg-6vulnerable
squeeze, wheezy, sid1.4.0.dfsg-8fixed
bochs (PTS)lenny2.3.7-1fixed
squeeze2.4.5-1fixed
wheezy, sid2.4.6-4fixed
camserv (PTS)lenny1:0.5.1-7vulnerable
clamav (PTS)lenny, lenny (security)0.94.dfsg.2-1lenny2vulnerable
squeeze0.97.3+dfsg-1~squeeze1fixed
wheezy, sid0.97.3+dfsg-2fixed
collectd (PTS)lenny, lenny (security)4.4.2-3+lenny1vulnerable
squeeze4.10.1-1+squeeze2fixed
sid4.10.4-1fixed
cvsnt (PTS)lenny, lenny (security)2.5.03.2382-3.3+lenny1vulnerable
ggobi (PTS)lenny2.1.7-1vulnerable
squeeze2.1.9~20091212-3fixed
wheezy, sid2.1.10-4fixed
gnash (PTS)lenny0.8.4-3~lenny1vulnerable
squeeze0.8.8-5fixed
wheezy, sid0.8.10~git20111001-1.1fixed
gnu-smalltalk (PTS)lenny3.0.3-2vulnerable
squeeze3.1-6fixed
wheezy, sid3.2.4-2fixed
graphicsmagick (PTS)lenny, lenny (security)1.1.11-3.2+lenny1vulnerable
squeeze1.3.12-1fixed
wheezy, sid1.3.12-1.1fixed
guile-1.6 (PTS)lenny1.6.8-6.3vulnerable
squeeze, wheezy, sid1.6.8-10fixed
hamlib (PTS)lenny1.2.7.1-1+lenny1fixed
squeeze1.2.11-1fixed
wheezy, sid1.2.14-1fixed
heartbeat (PTS)lenny2.1.3-6lenny4vulnerable
squeeze1:3.0.3-2fixed
wheezy, sid1:3.0.5-3fixed
hercules (PTS)lenny3.05-2vulnerable
squeeze3.07-2fixed
wheezy, sid3.07-2.2fixed
hypre (PTS)lenny2.0.0.dfsg-7vulnerable
squeeze, wheezy2.4.0b-7fixed
sid2.8.0b-1fixed
imagemagick (PTS)lenny (security)7:6.3.7.9.dfsg2-1~lenny3fixed
lenny7:6.3.7.9.dfsg2-1~lenny4fixed
squeeze8:6.6.0.4-3fixed
wheezy, sid8:6.6.9.7-5fixed
experimental8:6.7.4.0-1fixed
jags (PTS)squeeze2.0.0-1fixed
wheezy, sid3.2.0-1fixed
kdelibs (PTS)lenny, lenny (security)4:3.5.10.dfsg.1-0lenny4fixed
squeeze4:3.5.10.dfsg.1-5fixed
lam (PTS)lenny7.1.2-1.4vulnerable
squeeze, wheezy, sid7.1.2-2fixed
libannodex (PTS)lenny0.7.3-3.1vulnerable
libextractor (PTS)lenny0.5.20c-1vulnerable
squeeze1:0.5.23+dfsg-7fixed
wheezy, sid1:0.5.23+dfsg-7.1fixed
experimental1:0.6.3-1fixed
libmcrypt (PTS)lenny2.5.7-5fixed
squeeze, wheezy, sid2.5.8-3.1fixed
libprelude (PTS)lenny0.9.18.1-1fixed
squeeze1.0.0-1fixed
wheezy, sid1.0.0-7fixed
libtool (PTS)lenny, lenny (security)1.5.26-4+lenny1fixed
squeeze2.2.6b-2fixed
wheezy, sid2.4.2-1fixed
libtunepimp (PTS)lenny0.5.3-7vulnerable
squeeze0.5.3-7.3fixed
wheezy, sid0.5.3-7.5fixed
mp4h (PTS)lenny1.3.1-4vulnerable
squeeze1.3.1-5fixed
wheezy, sid1.3.1-6fixed
naim (PTS)lenny0.11.8-1vulnerable
openmpi (PTS)lenny1.2.7~rc2-2vulnerable
squeeze1.4.2-4fixed
wheezy, sid1.4.3-2.1fixed
experimental1.5.4-2~exp1fixed
parser (PTS)squeeze3.4.0-2fixed
wheezy, sid3.4.1-3fixed
parser-mysql (PTS)squeeze10.3-2fixed
wheezy, sid10.3-6fixed
pdsh (PTS)lenny2.16-1fixed
squeeze2.18-8fixed
wheezy, sid2.27-1fixed
pinball (PTS)lenny0.3.1-7vulnerable
squeeze0.3.1-13fixed
wheezy, sid0.3.1-13.1fixed
proftpd-dfsg (PTS)lenny1.3.1-17lenny6fixed
lenny (security)1.3.1-17lenny9fixed
squeeze, squeeze (security)1.3.3a-6squeeze4fixed
wheezy, sid1.3.4a-1fixed
redland (PTS)lenny1.0.7-1fixed
squeeze1.0.10-3fixed
wheezy, sid1.0.15-1fixed
sdcc (PTS)lenny2.8.0.dfsg-1vulnerable
sid2.9.0-5fixed
siproxd (PTS)lenny1:0.7.0-2vulnerable
sid1:0.8.1-2fixed
ski (PTS)sid1.3.2-4vulnerable
synfig (PTS)lenny0.61.08-3vulnerable
squeeze0.62.00-2fixed
xmlsec1 (PTS)lenny, lenny (security)1.2.9-5+lenny1vulnerable
squeeze, squeeze (security)1.2.14-1+squeeze1fixed
wheezy, sid1.2.14-1.2fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
artssource(unstable)(not affected)
babelsource(unstable)1.4.0.dfsg-5low559843
bochssource(unstable)(not affected)
camservsource(unstable)(unfixed)low559800
clamavsource(unstable)0.95+dfsg-1low559832
collectdsource(unstable)4.8.2-1low559801
cvsntsource(unstable)2.5.04.3236-1.2low559803
ggobisource(unstable)2.1.9~20091212-1low559806
gnashsource(unstable)0.8.7-2low559808
gnu-smalltalksource(unstable)3.1-2low559809
graphicsmagicksource(unstable)1.3.5-6low559811
guile-1.6source(unstable)1.6.8-7low559813
hamlibsource(unstable)1.2.10-1low559814
hamlibsourcelenny1.2.7.1-1+lenny1medium
heartbeatsource(unstable)2.1.4-7unimportant559845
herculessource(unstable)3.06-1.2low559815
hypresource(unstable)2.4.0b-5low559834
imagemagicksource(unstable)6:6.2.3.1-1low559833
jagssource(unstable)1.0.4-1low559816
kdelibssource(unstable)(not affected)
lamsource(unstable)7.1.2-1.6low559835
libannodexsource(unstable)(unfixed)low559818
libextractorsource(unstable)0.5.23+dfsg-4low559819
libmcryptsource(unstable)(not affected)
libpreludesource(unstable)0.9.14-2low559844
libtoolsource(unstable)2.2.6b-1low559797
libtoolsourceetch1.5.22-4+etch1mediumDSA-1958-1
libtoolsourcelenny1.5.26-4+lenny1mediumDSA-1958-1
libtunepimpsource(unstable)0.5.3-7.3low559821
mp4hsource(unstable)1.3.1-4.1low559822
naimsource(unstable)(unfixed)low559823
openmpisource(unstable)1.3.3-4low559836
parsersource(unstable)3.4.0-2unimportant559837
parser-mysqlsource(unstable)10.3-2unimportant559824
pdshsource(unstable)(not affected)
pinballsource(unstable)0.3.1-11low559825
proftpd-dfsgsource(unstable)(not affected)
redlandsource(unstable)1.0.10-1low559826
redlandsourceetch(not affected)
redlandsourcelenny(not affected)
sdccsource(unstable)2.9.0-5low559840
siproxdsource(unstable)1:0.8.1-1low559827
skisource(unstable)(unfixed)low559828
synfigsource(unstable)0.62.00-1low559829
xmlsec1source(unstable)1.2.14-1unimportant559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier
Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Imprint