Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#61 dvbstreamer-1.1 ships a vulnerable copy of libtool

v1.1
closed-accepted
Adam Charrett
5
2010-03-02
2010-02-14
Samuli Suominen
No

CVE-2009-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736):
ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
attempts to open a .la file in the current working directory, which
allows local users to gain privileges via a Trojan horse file.

[1] http://bugs.gentoo.org/show_bug.cgi?id=302478
[2] http://bugs.gentoo.org/show_bug.cgi?id=295535

Also I don't really like it's using a shipped copy of libtool, when it should be using the system's libltdl so I've patched it out.

See the attached patch.

Discussion

  • The above patch also assumes "rm -rf libltdl" as unnecessary and rerunning autotools

     
  • Adam Charrett
    Adam Charrett
    2010-02-15

    Many thanks patch applied to 1.x branch and trunk has also been updated.

     
  • Adam Charrett
    Adam Charrett
    2010-02-15

    • labels: --> Build System
    • milestone: --> v1.1
    • assigned_to: nobody --> charrea6
    • status: open --> pending-accepted
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending-accepted --> closed-accepted