[Pkg-openmpi-maintainers] Bug#559836: Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation
Moritz Muehlenhoff
jmm at inutil.org
Tue Dec 8 21:28:22 UTC 2009
On Tue, Dec 08, 2009 at 09:46:45PM +0100, Manuel Prinz wrote:
> Hi Moritz!
>
> Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
> > You should rather use the copy of libltdl currently in the
> > archive or is there a technical reason, which prevents this?
>
> I'm aware of that and discussed it with upstream. They said it would
> require quite some changes to the build system, since they decided to
> use a copy of libtool for technical and practical reasons and only
> support that. I of course might be able to hack support for using the
> system libtool into it but I thought fixing security issues in a timely
> manner is generally prefered, especially if the issue is that simple to
> fix.
>
> Also, I do not quite understand how using Debian's libtool would help,
> as it seems vulnerable as well and is not fixed yet. If I misunderstood
> the situation, please correct me.
>
> Don't get me wrong: I really appreciate the work the security team does
> and I wanted to help you by fixing the issue ASAP. If this was wrong, I
> apologize! The solution as is should be seen as an interim solution. I
> will try to make Open MPI use libtool, though this is something I can't
> see to happen in a reasonable time frame at the moment. Leaving RC bugs
> open for weeks does not help anyone, so I fixed the issue the way I did,
> by patching the local copy. If this is not an acceptable solution,
> please reopen. I just had good intentions, and am open to criticism and
> discussion, and willed to learn.
No problem, fixing the issue ad hoc is of course preferred and using the
system copy the long term goal (if there're technical issues (that's why
I asked) you can also leave it as-is). Embedding a copy of libtool is
rather harmless to, e.g. an embedded copy of libavcodec.
> Also, please clarify on the state in etch and lenny. We did not build
> static libs, so no .la files there. This version of libtool is not used
> outside of MPI. Am I supposed to fix those packages as well as users
> might modify debian/rules and build static binaries? I did assume this
> not to be the case, but I'm irritated now.
You can leave etch and lenny untouched, the impact doesn't warrant an
update.
Cheers,
Moritz
More information about the Pkg-openmpi-maintainers
mailing list