#61 dvbstreamer-1.1 ships a vulnerable copy of libtool


CVE-2009-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3736):
ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
attempts to open a .la file in the current working directory, which
allows local users to gain privileges via a Trojan horse file.

[1] http://bugs.gentoo.org/show_bug.cgi?id=302478
[2] http://bugs.gentoo.org/show_bug.cgi?id=295535

Also I don't really like it's using a shipped copy of libtool, when it should be using the system's libltdl so I've patched it out.

See the attached patch.


  • Samuli Suominen

    Samuli Suominen - 2010-02-14

    The above patch also assumes "rm -rf libltdl" as unnecessary and rerunning autotools

  • Adam Charrett

    Adam Charrett - 2010-02-15

    Many thanks patch applied to 1.x branch and trunk has also been updated.

  • Adam Charrett

    Adam Charrett - 2010-02-15
    • labels: --> Build System
    • milestone: --> v1.1
    • assigned_to: nobody --> charrea6
    • status: open --> pending-accepted
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

  • SourceForge Robot

    • status: pending-accepted --> closed-accepted

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks