[Pkg-gmagick-im-team] Bug#559833: CVE-2009-3736 local privilege escalation

[Stefano Zacchiroli]

On Mon, Dec 07, 2009 at 12:05:22AM -0500, Michael Gilbert wrote:
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool.  I have determined that this package embeds a
> vulnerable copy of the libtool source code.  However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have
> not had time to determine whether the vulnerable code is actually
> present in any of the binary packages. Please determine whether this
> is the case. If the binary packages are not affected, please feel free
> to close the bug with a message containing the details of what you did
> to check.

I believe this bug report can be closed as false positive. I detail
below my verifications to that conclusion and I copy the security team
for insights.

- the imagemagick source package build-depends on libltdl-dev

- all binaries built by imagemagick depends (either directly or
  transitvely on libltdl7, see shell log [1]) -- tested on amd64

- the build log of latest imagemagick on amd64 says:

    checking for ltdl.h... yes
    checking whether lt_dlinterface_register is declared... yes
    checking for lt_dladvise_preload in -lltdl... yes
    checking where to find libltdl headers...
    checking where to find libltdl library... -lltdl

  it also says, at link time

    LIBS            = -lMagickCore -llcms -ltiff -lfreetype -ljpeg -llqr-1 -lglib-2.0 -lfontconfig -lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lm -lgomp -lpthread -lltdl

  without any specific CFLAGS/LDFLAGS.