[redland-dev] CVE-2009-3736 local privilege escalation - may affect redland 1.0.9

Dave Beckett dave at dajobe.org
Mon Dec 14 04:45:41 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-3736 says:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736

The redland 1.0.9 release from April 2009 was built with an affected libtool
2.2.6 and uses it to load storage modules dynamically from /usr/lib/redland.
  MD5 e5ef0c29c55b4f0f5aeed7955b4d383b  redland-1.0.9.tar.gz

It's hard for me to tell how important this is since I've not been able to
verify it on Linux[1], for one thing.  It might be more of a concern on
other OSes that do dynamic loading of modules a different way.

If you are worried about this, I've attached the patch to 1.0.9 that changes
ltdl.c the way the CVE expects.  It's untested since I can't verify there is
a problem.

Redland's next release won't have this problem since it'll be built with the
libtool 2.2.6b

Dave


[1] https://bugzilla.redhat.com/show_bug.cgi?id=537941#c7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iD8DBQFLJbTjQ+ySUE9xlVoRAqW0AJ9bq3xA9eCd2498R2QbcQOHtf0qLQCfUdFA
Vigo6s57LQuSrm/okCTBlck=
=wL5a
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: redland-1.0.9-cve-2009-2736.patch
Type: text/x-patch
Size: 1579 bytes
Desc: not available
Url : http://lists.librdf.org/pipermail/redland-dev/attachments/20091213/ee3edb24/attachment.bin 


More information about the redland-dev mailing list