CVE-2009-3736

NameCVE-2009-3736
Descriptionltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as ...
SourceCVE (at NVD; oss-sec, OSVDB, EDB, Red Hat, Ubuntu, Gentoo, SuSE, more)
ReferencesDSA-1958-1
Debian Bugs559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845, 702436
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
arts (PTS)squeeze1.5.9-3fixed
babel (PTS)squeeze1.4.0.dfsg-8fixed
wheezy1.4.0.dfsg-8.1fixed
sid1.4.0.dfsg-8.2fixed
bochs (PTS)squeeze2.4.5-1fixed
wheezy2.4.6-5fixed
jessie, sid2.4.6-6fixed
clamav (PTS)squeeze0.97.8+dfsg-1~squeeze1fixed
wheezy0.97.8+dfsg-1fixed
jessie, sid0.98.1+dfsg-4fixed
collectd (PTS)squeeze4.10.1-1+squeeze2fixed
wheezy5.1.0-3fixed
jessie, sid5.4.1-1fixed
ggobi (PTS)squeeze2.1.9~20091212-3fixed
jessie, wheezy2.1.10-4fixed
sid2.1.10-5fixed
gnash (PTS)squeeze, squeeze (security)0.8.8-5+squeeze1fixed
wheezy0.8.11~git20120629-1+deb7u1fixed
jessie0.8.11~git20140319+dfsg-1fixed
sid0.8.11~git20140419-1fixed
gnu-smalltalk (PTS)squeeze3.1-6fixed
jessie, wheezy, sid3.2.4-2fixed
graphicsmagick (PTS)squeeze1.3.12-1fixed
wheezy1.3.16-1.1fixed
jessie, sid1.3.18-1fixed
graphviz (PTS)squeeze, squeeze (security)2.26.3-5+squeeze2fixed
wheezy, wheezy (security)2.26.3-14+deb7u1fixed
jessie, sid2.26.3-16.2fixed
guile-1.6 (PTS)squeeze1.6.8-10fixed
wheezy, sid1.6.8-10.3fixed
hamlib (PTS)squeeze1.2.11-1fixed
wheezy1.2.15.1-1fixed
jessie, sid1.2.15.3-1fixed
heartbeat (PTS)squeeze1:3.0.3-2fixed
wheezy1:3.0.5-3fixed
jessie, sid1:3.0.5+hg12629-1fixed
hercules (PTS)squeeze3.07-2fixed
wheezy3.07-2.2fixed
jessie, sid3.07-2.3fixed
hypre (PTS)squeeze2.4.0b-7fixed
jessie, wheezy2.8.0b-1fixed
sid2.8.0b-2fixed
imagemagick (PTS)squeeze8:6.6.0.4-3+squeeze3fixed
squeeze (security)8:6.6.0.4-3+squeeze4fixed
wheezy8:6.7.7.10-5+deb7u2fixed
wheezy (security)8:6.7.7.10-5+deb7u3fixed
jessie, sid8:6.7.7.10+dfsg-1fixed
jags (PTS)squeeze2.0.0-1fixed
wheezy3.2.0-1fixed
jessie, sid3.4.0-1fixed
kdelibs (PTS)squeeze4:3.5.10.dfsg.1-5fixed
lam (PTS)squeeze7.1.2-2fixed
wheezy7.1.4-3fixed
jessie, sid7.1.4-3.1fixed
libextractor (PTS)squeeze1:0.5.23+dfsg-7fixed
wheezy1:0.6.3-5fixed
jessie, sid1:1.3-1fixed
libmcrypt (PTS)jessie, squeeze, wheezy, sid2.5.8-3.1fixed
libprelude (PTS)squeeze1.0.0-1fixed
wheezy1.0.0-9fixed
jessie, sid1.0.0-11fixed
libtool (PTS)squeeze2.2.6b-2fixed
wheezy2.4.2-1.1fixed
jessie, sid2.4.2-1.7fixed
libtunepimp (PTS)squeeze0.5.3-7.3fixed
mp4h (PTS)squeeze1.3.1-5fixed
wheezy1.3.1-6fixed
jessie, sid1.3.1-9fixed
openmpi (PTS)squeeze1.4.2-4fixed
wheezy1.4.5-1fixed
jessie, sid1.6.5-8fixed
parser (PTS)squeeze3.4.0-2fixed
wheezy3.4.2-2fixed
jessie, sid3.4.3-2fixed
parser-mysql (PTS)squeeze10.3-2fixed
wheezy10.4-1fixed
jessie, sid10.6-2fixed
pdsh (PTS)squeeze2.18-8fixed
wheezy2.27-2fixed
jessie, sid2.29-1fixed
pinball (PTS)squeeze0.3.1-13fixed
jessie, wheezy, sid0.3.1-13.1fixed
proftpd-dfsg (PTS)squeeze, squeeze (security)1.3.3a-6squeeze7fixed
wheezy, wheezy (security)1.3.4a-5+deb7u1fixed
jessie, sid1.3.5~rc4-1fixed
redland (PTS)squeeze1.0.10-3fixed
wheezy1.0.15-1fixed
jessie, sid1.0.17-1fixed
sdcc (PTS)wheezy3.1.0+dfsg-1fixed
jessie, sid3.3.0+dfsg-1fixed
siproxd (PTS)wheezy1:0.8.1-3fixed
jessie, sid1:0.8.1-4fixed
synfig (PTS)squeeze0.62.00-2fixed
wheezy0.63.05-1fixed
jessie, sid0.64.1-2fixed
xmlsec1 (PTS)squeeze, squeeze (security)1.2.14-1+squeeze1fixed
jessie, wheezy, sid1.2.18-2fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
artssource(unstable)(not affected)
babelsource(unstable)1.4.0.dfsg-5low559843
bochssource(unstable)(not affected)
camservsource(unstable)(unfixed)low559800
clamavsource(unstable)0.95+dfsg-1low559832
collectdsource(unstable)4.8.2-1low559801
cvsntunknown(unstable)2.5.04.3236-1.2low559803
ggobisource(unstable)2.1.9~20091212-1low559806
gnashsource(unstable)0.8.7-2low559808
gnu-smalltalksource(unstable)3.1-2low559809
graphicsmagicksource(unstable)1.3.5-6low559811
graphvizsource(unstable)2.26.3-14low702436
graphvizsourcesqueeze2.26.3-5+squeeze1
guile-1.6source(unstable)1.6.8-7low559813
hamlibsource(unstable)1.2.10-1low559814
hamlibsourcelenny1.2.7.1-1+lenny1
heartbeatsource(unstable)2.1.4-7unimportant559845
herculessource(unstable)3.06-1.2low559815
hypresource(unstable)2.4.0b-5low559834
imagemagicksource(unstable)6:6.2.3.1-1low559833
jagssource(unstable)1.0.4-1low559816
kdelibssource(unstable)(not affected)
lamsource(unstable)7.1.2-1.6low559835
libannodexsource(unstable)(unfixed)low559818
libextractorsource(unstable)0.5.23+dfsg-4low559819
libmcryptsource(unstable)(not affected)
libpreludesource(unstable)0.9.14-2low559844
libtoolsource(unstable)2.2.6b-1low559797
libtoolsourceetch1.5.22-4+etch1DSA-1958-1
libtoolsourcelenny1.5.26-4+lenny1DSA-1958-1
libtunepimpsource(unstable)0.5.3-7.3low559821
mp4hsource(unstable)1.3.1-4.1low559822
naimsource(unstable)(unfixed)low559823
openmpisource(unstable)1.3.3-4low559836
parsersource(unstable)3.4.0-2unimportant559837
parser-mysqlsource(unstable)10.3-2unimportant559824
pdshsource(unstable)(not affected)
pinballsource(unstable)0.3.1-11low559825
proftpd-dfsgsource(unstable)(not affected)
redlandsource(unstable)1.0.10-1low559826
redlandsourceetch(not affected)
redlandsourcelenny(not affected)
sdccsource(unstable)2.9.0-5low559840
siproxdsource(unstable)1:0.8.1-1low559827
skisource(unstable)(unfixed)low559828
synfigsource(unstable)0.62.00-1low559829
xmlsec1source(unstable)1.2.14-1unimportant559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier

Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Source (SVN)