[Pkg-gmagick-im-team] Bug#559833: CVE-2009-3736 local privilege escalation
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Mar 2 22:32:35 UTC 2010
On Tue, 2 Mar 2010 23:14:50 +0100, Stefano Zacchiroli wrote:
> On Mon, Dec 07, 2009 at 12:05:22AM -0500, Michael Gilbert wrote:
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for libtool. I have determined that this package embeds a
> > vulnerable copy of the libtool source code. However, since this is a
> > mass bug filing (due to so many packages embedding libtool), I have
> > not had time to determine whether the vulnerable code is actually
> > present in any of the binary packages. Please determine whether this
> > is the case. If the binary packages are not affected, please feel free
> > to close the bug with a message containing the details of what you did
> > to check.
>
> I believe this bug report can be closed as false positive. I detail
> below my verifications to that conclusion and I copy the security team
> for insights.
>
> - the imagemagick source package build-depends on libltdl-dev
>
> - all binaries built by imagemagick depends (either directly or
> transitvely on libltdl7, see shell log [1]) -- tested on amd64
>
> - the build log of latest imagemagick on amd64 says:
>
> checking for ltdl.h... yes
> checking whether lt_dlinterface_register is declared... yes
> checking for lt_dladvise_preload in -lltdl... yes
> checking where to find libltdl headers...
> checking where to find libltdl library... -lltdl
>
> it also says, at link time
>
> LIBS = -lMagickCore -llcms -ltiff -lfreetype -ljpeg -llqr-1 -lglib-2.0 -lfontconfig -lXext -lSM -lICE -lX11 -lXt -lbz2 -lz -lm -lgomp -lpthread -lltdl
>
> without any specific CFLAGS/LDFLAGS.
>
> From all the above, I'm inclined to conclude that imagemagick uses
> system-wide ltdl and hence is unaffected by this bug. Confirmation
> and/or comments would be very welcome.
also:
$ ldd /usr/bin/compare | grep ltdl
libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7009000)
...
(true for all of the other imagemagick binaries too)
i would say this is more than enough checking, and the bug can be
safely closed. thanks!
mike
More information about the Pkg-gmagick-im-team
mailing list