From: SourceForge.net <no...@so...> - 2011-11-26 08:15:36
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Tracker Item Submitted) made by gaui You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: gaui (gaui) Assigned to: Nobody/Anonymous (nobody) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |
From: SourceForge.net <no...@so...> - 2011-11-26 09:05:37
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Comment added) made by spth You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: gaui (gaui) Assigned to: Nobody/Anonymous (nobody) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- >Comment By: Philipp Klaus Krause (spth) Date: 2011-11-26 01:05 Message: To summarize what I learned about this: The bug will is a securiy risk if root someone runs the simulator in a directory where other users have write-access. E.g. root running the simulator in the home directory of some user or someone running the simulator in /tmp. Philipp ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |
From: SourceForge.net <no...@so...> - 2011-11-26 10:53:53
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Comment added) made by borutr You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: gaui (gaui) Assigned to: Nobody/Anonymous (nobody) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- >Comment By: Borut Ražem (borutr) Date: 2011-11-26 02:53 Message: Gudjon, does the patch cover all sdcc platforms? I seems to me that it won't compile on Windows at least... Borut ---------------------------------------------------------------------- Comment By: Philipp Klaus Krause (spth) Date: 2011-11-26 01:05 Message: To summarize what I learned about this: The bug will is a securiy risk if root someone runs the simulator in a directory where other users have write-access. E.g. root running the simulator in the home directory of some user or someone running the simulator in /tmp. Philipp ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |
From: SourceForge.net <no...@so...> - 2011-11-28 08:33:46
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Comment added) made by borutr You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator >Group: fixed >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: gaui (gaui) >Assigned to: Borut Ražem (borutr) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- >Comment By: Borut Ražem (borutr) Date: 2011-11-28 00:33 Message: I found out that libltdl is not used by gpsim at all, so I removed it in svn revision #7078. Borut ---------------------------------------------------------------------- Comment By: Borut Ražem (borutr) Date: 2011-11-26 02:53 Message: Gudjon, does the patch cover all sdcc platforms? I seems to me that it won't compile on Windows at least... Borut ---------------------------------------------------------------------- Comment By: Philipp Klaus Krause (spth) Date: 2011-11-26 01:05 Message: To summarize what I learned about this: The bug will is a securiy risk if root someone runs the simulator in a directory where other users have write-access. E.g. root running the simulator in the home directory of some user or someone running the simulator in /tmp. Philipp ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |
From: SourceForge.net <no...@so...> - 2011-11-28 18:49:00
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Comment added) made by gaui You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator Group: fixed Status: Closed Resolution: Fixed Priority: 5 Private: No Submitted By: gaui (gaui) Assigned to: Borut Ražem (borutr) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- Comment By: gaui (gaui) Date: 2011-11-28 10:49 Message: Hi I downloaded libtool 2.4.2 and sdcc 3.1.0 and copied ltdl.{c,h} to sim/ucsim/libltdl and compiled it without problems on my Windows computer. Please don't use the patch I sent, rather upgrade the libtool files in ucsim with files from a newer libtool and that should work on all platforms. Where did your compilation stop Borut? Thanks Philipp, I had not read carefully how to use the bug to get more privileges. Regards Gudjon ---------------------------------------------------------------------- Comment By: Borut Ražem (borutr) Date: 2011-11-28 00:33 Message: I found out that libltdl is not used by gpsim at all, so I removed it in svn revision #7078. Borut ---------------------------------------------------------------------- Comment By: Borut Ražem (borutr) Date: 2011-11-26 02:53 Message: Gudjon, does the patch cover all sdcc platforms? I seems to me that it won't compile on Windows at least... Borut ---------------------------------------------------------------------- Comment By: Philipp Klaus Krause (spth) Date: 2011-11-26 01:05 Message: To summarize what I learned about this: The bug will is a securiy risk if root someone runs the simulator in a directory where other users have write-access. E.g. root running the simulator in the home directory of some user or someone running the simulator in /tmp. Philipp ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |
From: SourceForge.net <no...@so...> - 2011-11-28 18:51:51
|
Bugs item #3442522, was opened at 2011-11-26 00:15 Message generated for change (Comment added) made by gaui You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Simulator Group: fixed Status: Closed Resolution: Fixed Priority: 5 Private: No Submitted By: gaui (gaui) Assigned to: Borut Ražem (borutr) Summary: ltdl.c needs upgrade Initial Comment: Hi The file sim/ucsim/libltdl/ltdl.c is still from an ancient libtool version and contains the "CVE-2009-3736 local privilege escalation" bug. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559840 Can you please fix this in version 3.1.0? Sorry if I was unclear in my previous emails. Attached is the Debian patch which is used to fix the file but I suggest to copy it directly from the libtool sources. Regards Gudjon ---------------------------------------------------------------------- Comment By: gaui (gaui) Date: 2011-11-28 10:51 Message: Thanks Borut. Sorry, I didn't see your comment until after replying. Then its fixed and I promise not to reopen it :) /Gudjon ---------------------------------------------------------------------- Comment By: gaui (gaui) Date: 2011-11-28 10:49 Message: Hi I downloaded libtool 2.4.2 and sdcc 3.1.0 and copied ltdl.{c,h} to sim/ucsim/libltdl and compiled it without problems on my Windows computer. Please don't use the patch I sent, rather upgrade the libtool files in ucsim with files from a newer libtool and that should work on all platforms. Where did your compilation stop Borut? Thanks Philipp, I had not read carefully how to use the bug to get more privileges. Regards Gudjon ---------------------------------------------------------------------- Comment By: Borut Ražem (borutr) Date: 2011-11-28 00:33 Message: I found out that libltdl is not used by gpsim at all, so I removed it in svn revision #7078. Borut ---------------------------------------------------------------------- Comment By: Borut Ražem (borutr) Date: 2011-11-26 02:53 Message: Gudjon, does the patch cover all sdcc platforms? I seems to me that it won't compile on Windows at least... Borut ---------------------------------------------------------------------- Comment By: Philipp Klaus Krause (spth) Date: 2011-11-26 01:05 Message: To summarize what I learned about this: The bug will is a securiy risk if root someone runs the simulator in a directory where other users have write-access. E.g. root running the simulator in the home directory of some user or someone running the simulator in /tmp. Philipp ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100599&aid=3442522&group_id=599 |