CVE-2009-3736

Name	CVE-2009-3736
Description	ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1958-1
Debian Bugs	559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845, 702436

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
bochs (PTS)	jessie	2.6-2	fixed
	stretch	2.6-5	fixed
	buster	2.6.9+dfsg-3	fixed
	bullseye	2.6.11+dfsg-4	fixed
	trixie, bookworm	2.7+dfsg-4	fixed
	sid	2.8+dfsg-1	fixed
clamav (PTS)	jessie, jessie (lts)	0.103.9+dfsg-0+deb8u1	fixed
	stretch (security)	0.103.6+dfsg-0+deb9u1	fixed
	stretch (lts), stretch	0.103.9+dfsg-0+deb9u1	fixed
	buster	0.103.6+dfsg-0+deb10u1	fixed
	buster (security)	0.103.9+dfsg-0+deb10u1	fixed
	bullseye	0.103.10+dfsg-0+deb11u1	fixed
	bookworm	1.0.3+dfsg-1~deb12u1	fixed
	trixie	1.0.5+dfsg-1	fixed
	sid	1.0.5+dfsg-1.1	fixed
collectd (PTS)	jessie, jessie (lts)	5.4.1-6+deb8u1	fixed
	stretch	5.7.1-1.1	fixed
	buster	5.8.1-1.3	fixed
	bullseye	5.12.0-7	fixed
	bookworm	5.12.0-14	fixed
	sid	5.12.0-18	fixed
ggobi (PTS)	jessie	2.1.11-1	fixed
	sid, trixie, buster, bullseye, stretch, bookworm	2.1.11-2	fixed
gnash (PTS)	stretch	0.8.11~git20160608-1.3	fixed
gnu-smalltalk (PTS)	jessie	3.2.4-2.1	fixed
	stretch	3.2.5-1	fixed
	bullseye	3.2.5-1.3	fixed
graphicsmagick (PTS)	jessie, jessie (lts)	1.3.20-3+deb8u13	fixed
	stretch (security)	1.3.30+hg15796-1~deb9u5	fixed
	stretch (lts), stretch	1.3.30+hg15796-1~deb9u7	fixed
	buster	1.4+really1.3.35-1~deb10u2	fixed
	buster (security)	1.4+really1.3.35-1~deb10u3	fixed
	bullseye (security), bullseye	1.4+really1.3.36+hg16481-2+deb11u1	fixed
	bookworm	1.4+really1.3.40-4	fixed
	trixie	1.4+really1.3.42-1	fixed
	sid	1.4+really1.3.43-1	fixed
graphviz (PTS)	jessie, jessie (lts)	2.38.0-7+deb8u1	fixed
	stretch (security), stretch (lts), stretch	2.38.0-17+deb9u1	fixed
	buster, buster (security)	2.40.1-6+deb10u1	fixed
	bullseye	2.42.2-5	fixed
	bookworm	2.42.2-7	fixed
	trixie	2.42.2-8	fixed
	sid	2.42.2-9	fixed
hamlib (PTS)	jessie	1.2.15.3-2	fixed
	stretch	3.0.1-1	fixed
	buster	3.3-5	fixed
	bullseye	4.0-7	fixed
	bookworm	4.5.4-1	fixed
	trixie	4.5.5-3	fixed
	sid	4.5.5-3.2	fixed
heartbeat (PTS)	jessie	1:3.0.5+hg12629-1.2	fixed
	stretch	1:3.0.6-5	fixed
	buster	1:3.0.6-9	fixed
	bullseye	1:3.0.6-11+deb11u1	fixed
	bookworm	1:3.0.6-13	fixed
	trixie	1:3.0.6-14	fixed
	sid	1:3.0.6-14.1	fixed
hercules (PTS)	jessie	3.07-2.3	fixed
	stretch	3.12-1	fixed
	buster	3.13-1	fixed
	sid, trixie, bullseye, bookworm	3.13-7	fixed
hypre (PTS)	jessie	2.8.0b-2	fixed
	stretch	2.11.1-3	fixed
	buster	2.15.1-5	fixed
	bullseye	2.18.2-1	fixed
	bookworm	2.26.0-3	fixed
	sid, trixie	2.28.0-8	fixed
imagemagick (PTS)	jessie, jessie (lts)	8:6.8.9.9-5+deb8u26	fixed
	stretch (security)	8:6.9.7.4+dfsg-11+deb9u14	fixed
	stretch (lts), stretch	8:6.9.7.4+dfsg-11+deb9u19	fixed
	buster	8:6.9.10.23+dfsg-2.1+deb10u1	fixed
	buster (security)	8:6.9.10.23+dfsg-2.1+deb10u7	fixed
	bullseye	8:6.9.11.60+dfsg-1.3+deb11u2	fixed
	bullseye (security)	8:6.9.11.60+dfsg-1.3+deb11u3	fixed
	bookworm	8:6.9.11.60+dfsg-1.6	fixed
	bookworm (security)	8:6.9.11.60+dfsg-1.6+deb12u1	fixed
	trixie	8:6.9.12.98+dfsg1-5	fixed
	sid	8:6.9.12.98+dfsg1-5.2	fixed
jags (PTS)	jessie	3.4.0-1	fixed
	stretch	4.2.0-2	fixed
	buster	4.3.0-2	fixed
	bullseye	4.3.0-3	fixed
	bookworm	4.3.1-1	fixed
	sid, trixie	4.3.2-1	fixed
lam (PTS)	jessie, stretch	7.1.4-3.1	fixed
	buster	7.1.4-6	fixed
	bullseye	7.1.4-6.1	fixed
	trixie, bookworm	7.1.4-7	fixed
	sid	7.1.4-7.2	fixed
libextractor (PTS)	jessie, jessie (lts)	1:1.3-2+deb8u5	fixed
	stretch (security), stretch (lts), stretch	1:1.3-4+deb9u4	fixed
	buster	1:1.8-2+deb10u1	fixed
	bullseye	1:1.11-2	fixed
	bookworm	1:1.11-7	fixed
	sid, trixie	1:1.13-3	fixed
libmcrypt (PTS)	jessie, stretch	2.5.8-3.3	fixed
	buster, bullseye	2.5.8-3.4	fixed
	sid, trixie, bookworm	2.5.8-7	fixed
libprelude (PTS)	jessie	1.0.0-11.4	fixed
	stretch	1.0.0-11.9	fixed
	buster	4.1.0-4.2	fixed
	bullseye	5.2.0-3+deb11u1	fixed
	bookworm	5.2.0-5	fixed
	sid	5.2.0-5.4	fixed
libtool (PTS)	jessie	2.4.2-1.11	fixed
	stretch	2.4.6-2	fixed
	buster	2.4.6-9	fixed
	bullseye	2.4.6-15	fixed
	bookworm	2.4.7-5	fixed
	sid, trixie	2.4.7-7	fixed
mp4h (PTS)	jessie	1.3.1-9	fixed
	stretch	1.3.1-16	fixed
	sid, trixie, buster, bullseye, bookworm	1.3.1-17	fixed
openmpi (PTS)	jessie	1.6.5-9.1+deb8u1	fixed
	stretch	2.0.2-2	fixed
	buster	3.1.3-11	fixed
	bullseye	4.1.0-10	fixed
	bookworm	4.1.4-3	fixed
	trixie	4.1.6-5	fixed
	sid	4.1.6-12	fixed
parser (PTS)	jessie	3.4.3-4	fixed
	stretch	3.4.4-1	fixed
	buster	3.4.5-4	fixed
	bullseye	3.4.6-2	fixed
	bookworm	3.4.6-3	fixed
	sid, trixie	3.4.6-4	fixed
parser-mysql (PTS)	jessie	10.6-2	fixed
	stretch	10.7-2	fixed
	buster	10.7-4	fixed
	sid, trixie, bullseye, bookworm	10.8-3	fixed
pdsh (PTS)	jessie, buster, bullseye, stretch	2.31-3	fixed
	bookworm	2.34-0.2	fixed
	sid, trixie	2.34-3	fixed
pinball (PTS)	jessie	0.3.1-13.2	fixed
	stretch	0.3.1-13.6	fixed
	buster	0.3.1-14.1	fixed
	bullseye, bookworm	0.3.20201218-4	fixed
	sid, trixie	0.3.20230219-1	fixed
proftpd-dfsg (PTS)	jessie, jessie (lts)	1.3.5e+r1.3.5-2+deb8u8	fixed
	stretch (security)	1.3.5e+r1.3.5b-4+deb9u2	fixed
	stretch (lts), stretch	1.3.5e+r1.3.5b-4+deb9u3	fixed
	buster	1.3.6-4+deb10u6	fixed
	buster (security)	1.3.6-4+deb10u4	fixed
	bullseye	1.3.7a+dfsg-12+deb11u2	fixed
	bookworm	1.3.8+dfsg-4+deb12u3	fixed
	trixie	1.3.8.b+dfsg-1	fixed
	sid	1.3.8.b+dfsg-2	fixed
redland (PTS)	jessie	1.0.17-1	fixed
	buster, bullseye, stretch	1.0.17-1.1	fixed
	trixie, bookworm	1.0.17-3	fixed
	sid	1.0.17-3.1	fixed
sdcc (PTS)	jessie	3.4.0+dfsg-2	fixed
	stretch	3.5.0+dfsg-2	fixed
	buster	3.8.0+dfsg-2	fixed
	bullseye	4.0.0+dfsg-2	fixed
	bookworm	4.2.0+dfsg-1	fixed
	sid, trixie	4.4.0+dfsg-2	fixed
siproxd (PTS)	jessie	1:0.8.1-4	fixed
	buster, stretch	1:0.8.1-4.1	fixed
synfig (PTS)	jessie	0.64.2-1	fixed
	stretch	1.0.2-1	fixed
	buster	1.2.2-1	fixed
	bullseye	1.4.0+dfsg-2	fixed
	sid, bookworm	1.5.1+dfsg-3	fixed
xmlsec1 (PTS)	jessie	1.2.20-2	fixed
	stretch (lts), stretch	1.2.27-2~deb9u1	fixed
	buster	1.2.27-2	fixed
	bullseye	1.2.31-1	fixed
	bookworm	1.2.37-2	fixed
	trixie	1.2.38-1	fixed
	sid	1.2.39-5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
arts	source	(unstable)	(not affected)
babel	source	(unstable)	1.4.0.dfsg-5	low		559843
bochs	source	(unstable)	(not affected)
camserv	source	(unstable)	(unfixed)	low		559800
clamav	source	(unstable)	0.95+dfsg-1	low		559832
collectd	source	(unstable)	4.8.2-1	low		559801
cvsnt	source	(unstable)	2.5.04.3236-1.2	low		559803
ggobi	source	(unstable)	2.1.9~20091212-1	low		559806
gnash	source	(unstable)	0.8.7-2	low		559808
gnu-smalltalk	source	(unstable)	3.1-2	low		559809
graphicsmagick	source	(unstable)	1.3.5-6	low		559811
graphviz	source	squeeze	2.26.3-5+squeeze1
graphviz	source	(unstable)	2.26.3-14	low		702436
guile-1.6	source	(unstable)	1.6.8-7	low		559813
hamlib	source	lenny	1.2.7.1-1+lenny1
hamlib	source	(unstable)	1.2.10-1	low		559814
heartbeat	source	(unstable)	2.1.4-7	unimportant		559845
hercules	source	(unstable)	3.06-1.2	low		559815
hypre	source	(unstable)	2.4.0b-5	low		559834
imagemagick	source	(unstable)	6:6.2.3.1-1	low		559833
jags	source	(unstable)	1.0.4-1	low		559816
kdelibs	source	(unstable)	(not affected)
lam	source	(unstable)	7.1.2-1.6	low		559835
libannodex	source	(unstable)	(unfixed)	low		559818
libextractor	source	(unstable)	0.5.23+dfsg-4	low		559819
libmcrypt	source	(unstable)	(not affected)
libprelude	source	(unstable)	0.9.14-2	low		559844
libtool	source	etch	1.5.22-4+etch1		DSA-1958-1
libtool	source	lenny	1.5.26-4+lenny1		DSA-1958-1
libtool	source	(unstable)	2.2.6b-1	low		559797
libtunepimp	source	(unstable)	0.5.3-7.3	low		559821
mp4h	source	(unstable)	1.3.1-4.1	low		559822
naim	source	(unstable)	(unfixed)	low		559823
openmpi	source	(unstable)	1.3.3-4	low		559836
parser	source	(unstable)	3.4.0-2	unimportant		559837
parser-mysql	source	(unstable)	10.3-2	unimportant		559824
pdsh	source	(unstable)	(not affected)
pinball	source	(unstable)	0.3.1-11	low		559825
proftpd-dfsg	source	(unstable)	(not affected)
redland	source	etch	(not affected)
redland	source	lenny	(not affected)
redland	source	(unstable)	1.0.10-1	low		559826
sdcc	source	(unstable)	2.9.0-5	low		559840
siproxd	source	(unstable)	1:0.8.1-1	low		559827
ski	source	(unstable)	(unfixed)	low		559828
synfig	source	(unstable)	0.62.00-1	low		559829
xmlsec1	source	(unstable)	1.2.14-1	unimportant		559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier