CVE-2009-3736

Name	CVE-2009-3736
Source	CVE (at NVD; RH)
Description	ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
References	DSA-1958-1
NVD severity	medium (attack range: local, user-initiated)
Debian Bugs	559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845
Debian/oldstable	packages camserv, clamav, collectd, cvsnt, ggobi, gnu-smalltalk, graphicsmagick, guile-1.6, hamlib, hercules, hypre, lam, libannodex, libextractor, libprelude, libtunepimp, mp4h, naim, openmpi, pinball, sdcc, siproxd are vulnerable.
Debian/stable	packages babel, camserv, clamav, collectd, cvsnt, ggobi, gnash, gnu-smalltalk, graphicsmagick, guile-1.6, hamlib, hercules, hypre, lam, libannodex, libextractor, libtunepimp, mp4h, naim, openmpi, pinball, sdcc, siproxd, synfig are vulnerable.
Debian/testing	not vulnerable.
Debian/unstable	packages siproxd, ski are vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
arts (PTS)	etch	1.5.5-1	fixed
	lenny	1.5.9-2	fixed
	squeeze, sid	1.5.9-3	fixed
babel (PTS)	lenny	1.2.0.dfsg-6	vulnerable
	squeeze	1.4.0.dfsg-7	fixed
	sid	1.4.0.dfsg-8	fixed
bochs (PTS)	etch, etch (security)	2.3-2etch1	fixed
	etch-backports	2.3.6-4~bpo40+1	fixed
	lenny	2.3.7-1	fixed
	squeeze, sid	2.4.5-1	fixed
camserv (PTS)	etch	1:0.5.1-5	vulnerable
	lenny	1:0.5.1-7	vulnerable
clamav (PTS)	etch, etch (security)	0.90.1dfsg-4etch19	vulnerable
	lenny, lenny (security)	0.94.dfsg.2-1lenny2	vulnerable
	etch-backports	0.95.2+dfsg-2~bpo40+1	fixed
	squeeze	0.96.1+dfsg-1	fixed
	sid	0.96.1+dfsg-3	fixed
collectd (PTS)	etch	3.10.4-1	vulnerable
	lenny	4.4.2-3	vulnerable
	etch-backports	4.6.3-1~bpo40+1	vulnerable
	lenny-backports	4.9.1-2~bpo50+2	fixed
	squeeze, sid	4.10.1-1	fixed
cvsnt (PTS)	etch	2.5.03.2382-3	vulnerable
	lenny	2.5.03.2382-3.3	vulnerable
	squeeze, sid	2.5.04.3236-1.2	fixed
ggobi (PTS)	etch	2.1.4-1	vulnerable
	lenny	2.1.7-1	vulnerable
	squeeze, sid	2.1.9~20091212-3	fixed
gnash (PTS)	etch-backports	0.8.2-2~bpo40+1	vulnerable
	lenny	0.8.4-3~lenny1	vulnerable
	squeeze	0.8.7-3	fixed
	sid	0.8.8-2	fixed
gnu-smalltalk (PTS)	etch	2.1.8-2.1	vulnerable
	lenny	3.0.3-2	vulnerable
	squeeze	3.1-6	fixed
	sid	3.2-1	fixed
graphicsmagick (PTS)	etch, etch (security)	1.1.7-13+etch1	vulnerable
	lenny, lenny (security)	1.1.11-3.2+lenny1	vulnerable
	squeeze, sid	1.3.12-1	fixed
guile-1.6 (PTS)	etch	1.6.8-6	vulnerable
	lenny	1.6.8-6.3	vulnerable
	squeeze, sid	1.6.8-10	fixed
hamlib (PTS)	etch	1.2.5-8	vulnerable
	lenny	1.2.7.1-1	vulnerable
	squeeze	1.2.11-1	fixed
	sid	1.2.12-1	fixed
heartbeat (PTS)	etch	1.2.5-3	vulnerable
	etch-backports	2.1.3-6~bpo40+2	vulnerable
	lenny	2.1.3-6lenny4	vulnerable
	squeeze, sid	1:3.0.3-2	fixed
	lenny-backports	1:3.0.3-2~bpo50+1	fixed
hercules (PTS)	etch	3.03.1-1	vulnerable
	lenny	3.05-2	vulnerable
	squeeze, sid	3.07-2	fixed
hypre (PTS)	etch/non-free	1.6.0-4	vulnerable
	lenny	2.0.0.dfsg-7	vulnerable
	squeeze, sid	2.4.0b-7	fixed
imagemagick (PTS)	etch, etch (security)	7:6.2.4.5.dfsg1-0.15+etch1	fixed
	etch-backports	7:6.3.7.9.dfsg1-3~lenny1~bpo40+1	fixed
	lenny, lenny (security)	7:6.3.7.9.dfsg2-1~lenny3	fixed
	squeeze, sid	8:6.6.0.4-2.2	fixed
jags (PTS)	squeeze	2.0.0-1	fixed
	sid	2.1.0-2	fixed
kdelibs (PTS)	etch, etch (security)	4:3.5.5a.dfsg.1-8etch3	fixed
	etch-backports	4:3.5.7.dfsg.1-7~bpo40+1	fixed
	lenny, lenny (security)	4:3.5.10.dfsg.1-0lenny4	fixed
	squeeze, sid	4:3.5.10.dfsg.1-5	fixed
lam (PTS)	etch	7.1.2-1	vulnerable
	lenny	7.1.2-1.4	vulnerable
	squeeze, sid	7.1.2-1.6	fixed
libannodex (PTS)	etch, lenny	0.7.3-3.1	vulnerable
libextractor (PTS)	etch	0.5.16-2	vulnerable
	lenny	0.5.20c-1	vulnerable
	squeeze, sid	1:0.5.23+dfsg-7	fixed
	experimental	1:0.6.2-1	fixed
libmcrypt (PTS)	etch, lenny	2.5.7-5	fixed
	squeeze, sid	2.5.8-3.1	fixed
libprelude (PTS)	etch	0.9.7.2-1	vulnerable
	lenny	0.9.18.1-1	fixed
	squeeze, sid	1.0.0-1	fixed
libtool (PTS)	etch, etch (security)	1.5.22-4+etch1	fixed
	etch-backports	1.5.24-2~bpo40+1	vulnerable
	lenny, lenny (security)	1.5.26-4+lenny1	fixed
	squeeze, sid	2.2.6b-2	fixed
	lenny-backports	2.2.6b-2~bpo50+1	fixed
	experimental	2.2.10-1	fixed
libtunepimp (PTS)	etch	0.4.2-4.1	vulnerable
	lenny	0.5.3-7	vulnerable
	squeeze, sid	0.5.3-7.3	fixed
mp4h (PTS)	etch	1.3.1-3	vulnerable
	lenny	1.3.1-4	vulnerable
	squeeze, sid	1.3.1-5	fixed
naim (PTS)	etch, lenny	0.11.8-1	vulnerable
openmpi (PTS)	etch	1.1-2.3	vulnerable
	lenny	1.2.7~rc2-2	vulnerable
	squeeze	1.4.2-3	fixed
	sid	1.4.2-4	fixed
parser (PTS)	squeeze, sid	3.4.0-2	fixed
parser-mysql (PTS)	squeeze, sid	10.3-2	fixed
pdsh (PTS)	etch	2.10-3	fixed
	lenny	2.16-1	fixed
	squeeze, sid	2.18-6	fixed
pinball (PTS)	etch, lenny	0.3.1-7	vulnerable
	squeeze, sid	0.3.1-13	fixed
proftpd-dfsg (PTS)	etch, etch (security)	1.3.0-19etch3	fixed
	lenny, lenny (security)	1.3.1-17lenny4	fixed
	etch-backports	1.3.1-17lenny4~bpo40+1	fixed
	squeeze, sid	1.3.3a-1	fixed
redland (PTS)	etch	1.0.4-1	fixed
	lenny	1.0.7-1	fixed
	squeeze, sid	1.0.10-3	fixed
sdcc (PTS)	etch	2.6.0-5	vulnerable
	lenny	2.8.0.dfsg-1	vulnerable
	squeeze, sid	2.9.0-5	fixed
siproxd (PTS)	etch	1:0.5.13-1	vulnerable
	lenny	1:0.7.0-2	vulnerable
	sid	1:0.7.2-1	vulnerable
ski (PTS)	sid	1.3.2-4	vulnerable
synfig (PTS)	lenny	0.61.08-3	vulnerable
	squeeze, sid	0.62.00-2	fixed
xmlsec1 (PTS)	etch, lenny	1.2.9-5	vulnerable
	squeeze, sid	1.2.14-1	fixed

The information above is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
arts	source	(unstable)	(not affected)
babel	source	(unstable)	1.4.0.dfsg-5	low		559843
bochs	source	(unstable)	(not affected)
camserv	source	(unstable)	(unfixed)	low		559800
clamav	source	(unstable)	0.95+dfsg-1	low		559832
collectd	source	(unstable)	4.8.2-1	low		559801
cvsnt	source	(unstable)	2.5.04.3236-1.2	low		559803
ggobi	source	(unstable)	2.1.9~20091212-1	low		559806
gnash	source	(unstable)	0.8.7-2	low		559808
gnu-smalltalk	source	(unstable)	3.1-2	low		559809
graphicsmagick	source	(unstable)	1.3.5-6	low		559811
guile-1.6	source	(unstable)	1.6.8-7	low		559813
hamlib	source	(unstable)	1.2.10-1	low		559814
heartbeat	source	(unstable)	2.1.4-7	unimportant		559845
hercules	source	(unstable)	3.06-1.2	low		559815
hypre	source	(unstable)	2.4.0b-5	low		559834
imagemagick	source	(unstable)	6:6.2.3.1-1	low		559833
jags	source	(unstable)	1.0.4-1	low		559816
kdelibs	source	(unstable)	(not affected)
lam	source	(unstable)	7.1.2-1.6	low		559835
libannodex	source	(unstable)	(unfixed)	low		559818
libextractor	source	(unstable)	0.5.23+dfsg-4	low		559819
libmcrypt	source	(unstable)	(not affected)
libprelude	source	(unstable)	0.9.14-2	low		559844
libtool	source	(unstable)	2.2.6b-1	low		559797
libtool	source	etch	1.5.22-4+etch1	medium	DSA-1958-1
libtool	source	lenny	1.5.26-4+lenny1	medium	DSA-1958-1
libtunepimp	source	(unstable)	0.5.3-7.3	low		559821
mp4h	source	(unstable)	1.3.1-4.1	low		559822
naim	source	(unstable)	(unfixed)	low		559823
openmpi	source	(unstable)	1.3.3-4	low		559836
parser	source	(unstable)	3.4.0-2	unimportant		559837
parser-mysql	source	(unstable)	10.3-2	unimportant		559824
pdsh	source	(unstable)	(not affected)
pinball	source	(unstable)	0.3.1-11	low		559825
proftpd-dfsg	source	(unstable)	(not affected)
redland	source	(unstable)	1.0.10-1	low		559826
redland	source	etch	(not affected)
redland	source	lenny	(not affected)
sdcc	source	(unstable)	2.9.0-5	low		559840
siproxd	source	(unstable)	(unfixed)	low		559827
ski	source	(unstable)	(unfixed)	low		559828
synfig	source	(unstable)	0.62.00-1	low		559829
xmlsec1	source	(unstable)	1.2.14-1	unimportant		559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - hamlib <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier

Home - Testing Security Team - Debian Security - Imprint