[Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

Manuel Prinz manuel at debian.org
Mon Dec 7 23:50:50 UTC 2009


Hi Michael!

Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool.  I have determined that this package embeds a
> vulnerable copy of the libtool source code.  However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the binary packages are not affected, please feel free to close
> the bug with a message containing the details of what you did to check.

AIUI, only the versions in squeeze and sid (identical) are affected. We
did not have static library support in the versions in etch and lenny,
so there are no .la files contained in the packages and they therefore
should not be vulnerable.

I'm preparing a fix at the moment, which I can upload soon. I'd like to
know with which priority to upload, and where. The ST suggests urgency
of "medium", but I'm unsure which queue to use. As I understand dev-ref,
an upload to ftp-master should suffice since {old,}stable is not
affected. (Sorry, first CVE…)

I'll send the debdiff for review as soon as the build finishes.

Best regards
Manuel







More information about the Pkg-openmpi-maintainers mailing list