CVE-2009-3736

Name	CVE-2009-3736
Description	ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1958-1
Debian Bugs	559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845, 702436

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bochs (PTS)	bullseye	2.6.11+dfsg-4	fixed
	bookworm	2.7+dfsg-4	fixed
	sid, trixie	2.8+dfsg-1	fixed
clamav (PTS)	bullseye	0.103.10+dfsg-0+deb11u1	fixed
	bookworm	1.0.5+dfsg-1~deb12u1	fixed
	sid, trixie	1.3.1+dfsg-4	fixed
collectd (PTS)	bullseye	5.12.0-7	fixed
	bookworm	5.12.0-14	fixed
	sid	5.12.0-18.1	fixed
ggobi (PTS)	sid, trixie, bookworm, bullseye	2.1.11-2	fixed
gnu-smalltalk (PTS)	bullseye	3.2.5-1.3	fixed
graphicsmagick (PTS)	bullseye (security), bullseye	1.4+really1.3.36+hg16481-2+deb11u1	fixed
	bookworm	1.4+really1.3.40-4	fixed
	sid, trixie	1.4+really1.3.43-1	fixed
graphviz (PTS)	bullseye	2.42.2-5	fixed
	bookworm	2.42.2-7	fixed
	sid, trixie	2.42.4-1	fixed
hamlib (PTS)	bullseye	4.0-7	fixed
	bookworm	4.5.4-1	fixed
	sid, trixie	4.5.5-4	fixed
heartbeat (PTS)	bullseye	1:3.0.6-11+deb11u1	fixed
	bookworm	1:3.0.6-13	fixed
	sid, trixie	1:3.0.6-14.2	fixed
hercules (PTS)	bookworm, bullseye	3.13-7	fixed
	sid, trixie	3.13-8	fixed
hypre (PTS)	bullseye	2.18.2-1	fixed
	bookworm	2.26.0-3	fixed
	sid, trixie	2.29.0-2	fixed
imagemagick (PTS)	bullseye (security), bullseye	8:6.9.11.60+dfsg-1.3+deb11u3	fixed
	bookworm, bookworm (security)	8:6.9.11.60+dfsg-1.6+deb12u1	fixed
	sid, trixie	8:6.9.13.12+dfsg1-1	fixed
jags (PTS)	bullseye	4.3.0-3	fixed
	bookworm	4.3.1-1	fixed
	sid, trixie	4.3.2-1	fixed
lam (PTS)	bullseye	7.1.4-6.1	fixed
	bookworm	7.1.4-7	fixed
	sid, trixie	7.1.4-7.2	fixed
libextractor (PTS)	bullseye	1:1.11-2	fixed
	bookworm	1:1.11-7	fixed
	sid, trixie	1:1.13-4	fixed
libmcrypt (PTS)	bullseye	2.5.8-3.4	fixed
	sid, trixie, bookworm	2.5.8-7	fixed
libprelude (PTS)	bullseye	5.2.0-3+deb11u1	fixed
	bookworm	5.2.0-5	fixed
	sid, trixie	5.2.0-5.5	fixed
libtool (PTS)	bullseye	2.4.6-15	fixed
	bookworm	2.4.7-7~deb12u1	fixed
	sid, trixie	2.4.7-7	fixed
mp4h (PTS)	bookworm, bullseye	1.3.1-17	fixed
	sid, trixie	1.3.1-17.1	fixed
openmpi (PTS)	bullseye	4.1.0-10	fixed
	bookworm	4.1.4-3	fixed
	sid, trixie	4.1.6-13.3	fixed
parser (PTS)	bullseye	3.4.6-2	fixed
	bookworm	3.4.6-3	fixed
	sid, trixie	3.4.6-5	fixed
parser-mysql (PTS)	sid, trixie, bookworm, bullseye	10.8-3	fixed
pdsh (PTS)	bullseye	2.31-3	fixed
	bookworm	2.34-0.2	fixed
	sid, trixie	2.34-3	fixed
pinball (PTS)	bookworm, bullseye	0.3.20201218-4	fixed
	sid, trixie	0.3.20230219-1	fixed
proftpd-dfsg (PTS)	bullseye	1.3.7a+dfsg-12+deb11u2	fixed
	bookworm	1.3.8+dfsg-4+deb12u3	fixed
	sid, trixie	1.3.8.b+dfsg-2	fixed
redland (PTS)	bullseye	1.0.17-1.1	fixed
	bookworm	1.0.17-3	fixed
	sid, trixie	1.0.17-4	fixed
sdcc (PTS)	bullseye	4.0.0+dfsg-2	fixed
	bookworm	4.2.0+dfsg-1	fixed
	sid, trixie	4.4.0+dfsg-2	fixed
synfig (PTS)	bullseye	1.4.0+dfsg-2	fixed
	bookworm	1.5.1+dfsg-3	fixed
	sid	1.5.1+dfsg-4	fixed
xmlsec1 (PTS)	bullseye	1.2.31-1	fixed
	bookworm	1.2.37-2	fixed
	sid, trixie	1.2.41-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
arts	source	(unstable)	(not affected)
babel	source	(unstable)	1.4.0.dfsg-5	low		559843
bochs	source	(unstable)	(not affected)
camserv	source	(unstable)	(unfixed)	low		559800
clamav	source	(unstable)	0.95+dfsg-1	low		559832
collectd	source	(unstable)	4.8.2-1	low		559801
cvsnt	source	(unstable)	2.5.04.3236-1.2	low		559803
ggobi	source	(unstable)	2.1.9~20091212-1	low		559806
gnash	source	(unstable)	0.8.7-2	low		559808
gnu-smalltalk	source	(unstable)	3.1-2	low		559809
graphicsmagick	source	(unstable)	1.3.5-6	low		559811
graphviz	source	squeeze	2.26.3-5+squeeze1
graphviz	source	(unstable)	2.26.3-14	low		702436
guile-1.6	source	(unstable)	1.6.8-7	low		559813
hamlib	source	lenny	1.2.7.1-1+lenny1
hamlib	source	(unstable)	1.2.10-1	low		559814
heartbeat	source	(unstable)	2.1.4-7	unimportant		559845
hercules	source	(unstable)	3.06-1.2	low		559815
hypre	source	(unstable)	2.4.0b-5	low		559834
imagemagick	source	(unstable)	6:6.2.3.1-1	low		559833
jags	source	(unstable)	1.0.4-1	low		559816
kdelibs	source	(unstable)	(not affected)
lam	source	(unstable)	7.1.2-1.6	low		559835
libannodex	source	(unstable)	(unfixed)	low		559818
libextractor	source	(unstable)	0.5.23+dfsg-4	low		559819
libmcrypt	source	(unstable)	(not affected)
libprelude	source	(unstable)	0.9.14-2	low		559844
libtool	source	etch	1.5.22-4+etch1		DSA-1958-1
libtool	source	lenny	1.5.26-4+lenny1		DSA-1958-1
libtool	source	(unstable)	2.2.6b-1	low		559797
libtunepimp	source	(unstable)	0.5.3-7.3	low		559821
mp4h	source	(unstable)	1.3.1-4.1	low		559822
naim	source	(unstable)	(unfixed)	low		559823
openmpi	source	(unstable)	1.3.3-4	low		559836
parser	source	(unstable)	3.4.0-2	unimportant		559837
parser-mysql	source	(unstable)	10.3-2	unimportant		559824
pdsh	source	(unstable)	(not affected)
pinball	source	(unstable)	0.3.1-11	low		559825
proftpd-dfsg	source	(unstable)	(not affected)
redland	source	etch	(not affected)
redland	source	lenny	(not affected)
redland	source	(unstable)	1.0.10-1	low		559826
sdcc	source	(unstable)	2.9.0-5	low		559840
siproxd	source	(unstable)	1:0.8.1-1	low		559827
ski	source	(unstable)	(unfixed)	low		559828
synfig	source	(unstable)	0.62.00-1	low		559829
xmlsec1	source	(unstable)	1.2.14-1	unimportant		559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier