[Pkg-openmpi-maintainers] Bug#559836: Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

[Manuel Prinz]

Hi Moritz!

Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
> You should rather use the copy of libltdl currently in the
> archive or is there a technical reason, which prevents this?

I'm aware of that and discussed it with upstream. They said it would
require quite some changes to the build system, since they decided to
use a copy of libtool for technical and practical reasons and only
support that. I of course might be able to hack support for using the
system libtool into it but I thought fixing security issues in a timely
manner is generally prefered, especially if the issue is that simple to
fix.

Also, I do not quite understand how using Debian's libtool would help,
as it seems vulnerable as well and is not fixed yet. If I misunderstood
the situation, please correct me.

Don't get me wrong: I really appreciate the work the security team does
and I wanted to help you by fixing the issue ASAP. If this was wrong, I
apologize! The solution as is should be seen as an interim solution. I
will try to make Open MPI use libtool, though this is something I can't
see to happen in a reasonable time frame at the moment. Leaving RC bugs
open for weeks does not help anyone, so I fixed the issue the way I did,
by patching the local copy. If this is not an acceptable solution,
please reopen. I just had good intentions, and am open to criticism and
discussion, and willed to learn.

Also, please clarify on the state in etch and lenny. We did not build
static libs, so no .la files there. This version of libtool is not used
outside of MPI. Am I supposed to fix those packages as well as users
might modify debian/rules and build static binaries? I did assume this
not to be the case, but I'm irritated now.

Best regards
Manuel