CVE-2009-3736

NameCVE-2009-3736
Descriptionltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1958-1
Debian Bugs559797, 559800, 559801, 559803, 559806, 559808, 559809, 559811, 559813, 559814, 559815, 559816, 559818, 559819, 559821, 559822, 559823, 559824, 559825, 559826, 559827, 559828, 559829, 559831, 559832, 559833, 559834, 559835, 559836, 559837, 559840, 559843, 559844, 559845, 702436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bochs (PTS)jessie2.6-2fixed
stretch2.6-5fixed
buster2.6.9+dfsg-3fixed
bullseye2.6.11+dfsg-4fixed
bookworm2.7+dfsg-4fixed
sid, trixie2.8+dfsg-2fixed
clamav (PTS)jessie, jessie (lts)0.103.12+dfsg-0+deb8u1fixed
stretch (security)0.103.6+dfsg-0+deb9u1fixed
stretch (lts), stretch0.103.12+dfsg-0+deb9u1fixed
buster, buster (lts)1.0.7+dfsg-1~deb10u1fixed
buster (security)0.103.9+dfsg-0+deb10u1fixed
bullseye0.103.10+dfsg-0+deb11u1fixed
bullseye (security)1.0.7+dfsg-1~deb11u2fixed
bookworm1.0.7+dfsg-1~deb12u1fixed
sid, trixie1.4.1+dfsg-1fixed
collectd (PTS)jessie, jessie (lts)5.4.1-6+deb8u1fixed
stretch5.7.1-1.1fixed
buster5.8.1-1.3fixed
bullseye5.12.0-7fixed
bookworm5.12.0-14fixed
sid, trixie5.12.0-22fixed
ggobi (PTS)jessie2.1.11-1fixed
buster, bullseye, stretch, bookworm2.1.11-2fixed
sid, trixie2.1.12-1fixed
gnash (PTS)stretch0.8.11~git20160608-1.3fixed
gnu-smalltalk (PTS)jessie3.2.4-2.1fixed
stretch3.2.5-1fixed
bullseye3.2.5-1.3fixed
graphicsmagick (PTS)jessie, jessie (lts)1.3.20-3+deb8u14fixed
stretch (security)1.3.30+hg15796-1~deb9u5fixed
stretch (lts), stretch1.3.30+hg15796-1~deb9u7fixed
buster (security), buster, buster (lts)1.4+really1.3.35-1~deb10u3fixed
bullseye (security), bullseye1.4+really1.3.36+hg16481-2+deb11u1fixed
bookworm1.4+really1.3.40-4fixed
sid, trixie1.4+really1.3.45-1fixed
graphviz (PTS)jessie, jessie (lts)2.38.0-7+deb8u1fixed
stretch (security), stretch (lts), stretch2.38.0-17+deb9u1fixed
buster (security), buster, buster (lts)2.40.1-6+deb10u1fixed
bullseye2.42.2-5+deb11u1fixed
bookworm2.42.2-7+deb12u1fixed
sid, trixie2.42.4-2fixed
hamlib (PTS)jessie1.2.15.3-2fixed
stretch3.0.1-1fixed
buster3.3-5fixed
bullseye4.0-7fixed
bookworm4.5.4-1fixed
sid, trixie4.5.5-4fixed
heartbeat (PTS)jessie1:3.0.5+hg12629-1.2fixed
stretch1:3.0.6-5fixed
buster1:3.0.6-9fixed
bullseye1:3.0.6-11+deb11u1fixed
bookworm1:3.0.6-13fixed
sid, trixie1:3.0.6-15fixed
hercules (PTS)jessie3.07-2.3fixed
stretch3.12-1fixed
buster3.13-1fixed
bullseye, bookworm3.13-7fixed
sid, trixie3.13-8fixed
hypre (PTS)jessie2.8.0b-2fixed
stretch2.11.1-3fixed
buster2.15.1-5fixed
bullseye2.18.2-1fixed
bookworm2.26.0-3fixed
trixie2.32.0-3fixed
sid2.32.0-4fixed
imagemagick (PTS)jessie, jessie (lts)8:6.8.9.9-5+deb8u27fixed
stretch (security)8:6.9.7.4+dfsg-11+deb9u14fixed
stretch (lts), stretch8:6.9.7.4+dfsg-11+deb9u20fixed
buster, buster (lts)8:6.9.10.23+dfsg-2.1+deb10u9fixed
buster (security)8:6.9.10.23+dfsg-2.1+deb10u7fixed
bullseye8:6.9.11.60+dfsg-1.3+deb11u4fixed
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u3fixed
bookworm8:6.9.11.60+dfsg-1.6+deb12u2fixed
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u1fixed
sid, trixie8:7.1.1.39+dfsg1-3fixed
jags (PTS)jessie3.4.0-1fixed
stretch4.2.0-2fixed
buster4.3.0-2fixed
bullseye4.3.0-3fixed
bookworm4.3.1-1fixed
sid, trixie4.3.2-1fixed
lam (PTS)jessie, stretch7.1.4-3.1fixed
buster7.1.4-6fixed
bullseye7.1.4-6.1fixed
bookworm7.1.4-7fixed
sid, trixie7.1.4-7.2fixed
libextractor (PTS)jessie, jessie (lts)1:1.3-2+deb8u5fixed
stretch (security), stretch (lts), stretch1:1.3-4+deb9u4fixed
buster1:1.8-2+deb10u1fixed
bullseye1:1.11-2fixed
bookworm1:1.11-7fixed
sid, trixie1:1.13-8fixed
libmcrypt (PTS)jessie, stretch2.5.8-3.3fixed
buster, bullseye2.5.8-3.4fixed
bookworm2.5.8-7fixed
sid, trixie2.5.8-8fixed
libprelude (PTS)jessie1.0.0-11.4fixed
stretch1.0.0-11.9fixed
buster4.1.0-4.2fixed
bullseye5.2.0-3+deb11u1fixed
bookworm5.2.0-5fixed
sid5.2.0-5.6fixed
libtool (PTS)jessie2.4.2-1.11fixed
stretch2.4.6-2fixed
buster2.4.6-9fixed
bullseye2.4.6-15fixed
bookworm2.4.7-7~deb12u1fixed
sid, trixie2.4.7-8fixed
mp4h (PTS)jessie1.3.1-9fixed
stretch1.3.1-16fixed
buster, bullseye, bookworm1.3.1-17fixed
sid, trixie1.3.1-17.1fixed
openmpi (PTS)jessie1.6.5-9.1+deb8u1fixed
stretch2.0.2-2fixed
buster3.1.3-11fixed
bullseye4.1.0-10fixed
bookworm4.1.4-3fixed
sid, trixie5.0.6-3fixed
parser (PTS)jessie3.4.3-4fixed
stretch3.4.4-1fixed
buster3.4.5-4fixed
bullseye3.4.6-2fixed
bookworm3.4.6-3fixed
sid, trixie3.4.6-5fixed
parser-mysql (PTS)jessie10.6-2fixed
stretch10.7-2fixed
buster10.7-4fixed
sid, trixie, bullseye, bookworm10.8-3fixed
pdsh (PTS)jessie, buster, bullseye, stretch2.31-3fixed
bookworm2.34-0.2fixed
sid, trixie2.34-3fixed
pinball (PTS)jessie0.3.1-13.2fixed
stretch0.3.1-13.6fixed
buster0.3.1-14.1fixed
bullseye, bookworm0.3.20201218-4fixed
sid, trixie0.3.20230219-2fixed
proftpd-dfsg (PTS)jessie, jessie (lts)1.3.5e+r1.3.5-2+deb8u8fixed
stretch (security)1.3.5e+r1.3.5b-4+deb9u2fixed
stretch (lts), stretch1.3.5e+r1.3.5b-4+deb9u3fixed
buster1.3.6-4+deb10u6fixed
buster (security), buster (lts)1.3.6-4+deb10u4fixed
bullseye1.3.7a+dfsg-12+deb11u2fixed
bullseye (security)1.3.7a+dfsg-12+deb11u3fixed
bookworm1.3.8+dfsg-4+deb12u3fixed
bookworm (security)1.3.8+dfsg-4+deb12u4fixed
sid, trixie1.3.8.c+dfsg-1fixed
redland (PTS)jessie1.0.17-1fixed
buster, bullseye, stretch1.0.17-1.1fixed
bookworm1.0.17-3fixed
sid, trixie1.0.17-4fixed
sdcc (PTS)jessie3.4.0+dfsg-2fixed
stretch3.5.0+dfsg-2fixed
buster3.8.0+dfsg-2fixed
bullseye4.0.0+dfsg-2fixed
bookworm4.2.0+dfsg-1fixed
sid, trixie4.4.0+dfsg-2fixed
siproxd (PTS)jessie1:0.8.1-4fixed
buster, stretch1:0.8.1-4.1fixed
synfig (PTS)jessie0.64.2-1fixed
stretch1.0.2-1fixed
buster1.2.2-1fixed
bullseye1.4.0+dfsg-2fixed
bookworm1.5.1+dfsg-3fixed
sid1.5.1+dfsg-4fixed
xmlsec1 (PTS)jessie1.2.20-2fixed
stretch (lts), stretch1.2.27-2~deb9u1fixed
buster1.2.27-2fixed
bullseye1.2.31-1fixed
bookworm1.2.37-2fixed
sid, trixie1.2.41-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
artssource(unstable)(not affected)
babelsource(unstable)1.4.0.dfsg-5low559843
bochssource(unstable)(not affected)
camservsource(unstable)(unfixed)low559800
clamavsource(unstable)0.95+dfsg-1low559832
collectdsource(unstable)4.8.2-1low559801
cvsntsource(unstable)2.5.04.3236-1.2low559803
ggobisource(unstable)2.1.9~20091212-1low559806
gnashsource(unstable)0.8.7-2low559808
gnu-smalltalksource(unstable)3.1-2low559809
graphicsmagicksource(unstable)1.3.5-6low559811
graphvizsourcesqueeze2.26.3-5+squeeze1
graphvizsource(unstable)2.26.3-14low702436
guile-1.6source(unstable)1.6.8-7low559813
hamlibsourcelenny1.2.7.1-1+lenny1
hamlibsource(unstable)1.2.10-1low559814
heartbeatsource(unstable)2.1.4-7unimportant559845
herculessource(unstable)3.06-1.2low559815
hypresource(unstable)2.4.0b-5low559834
imagemagicksource(unstable)6:6.2.3.1-1low559833
jagssource(unstable)1.0.4-1low559816
kdelibssource(unstable)(not affected)
lamsource(unstable)7.1.2-1.6low559835
libannodexsource(unstable)(unfixed)low559818
libextractorsource(unstable)0.5.23+dfsg-4low559819
libmcryptsource(unstable)(not affected)
libpreludesource(unstable)0.9.14-2low559844
libtoolsourceetch1.5.22-4+etch1DSA-1958-1
libtoolsourcelenny1.5.26-4+lenny1DSA-1958-1
libtoolsource(unstable)2.2.6b-1low559797
libtunepimpsource(unstable)0.5.3-7.3low559821
mp4hsource(unstable)1.3.1-4.1low559822
naimsource(unstable)(unfixed)low559823
openmpisource(unstable)1.3.3-4low559836
parsersource(unstable)3.4.0-2unimportant559837
parser-mysqlsource(unstable)10.3-2unimportant559824
pdshsource(unstable)(not affected)
pinballsource(unstable)0.3.1-11low559825
proftpd-dfsgsource(unstable)(not affected)
redlandsourceetch(not affected)
redlandsourcelenny(not affected)
redlandsource(unstable)1.0.10-1low559826
sdccsource(unstable)2.9.0-5low559840
siproxdsource(unstable)1:0.8.1-1low559827
skisource(unstable)(unfixed)low559828
synfigsource(unstable)0.62.00-1low559829
xmlsec1source(unstable)1.2.14-1unimportant559831

Notes

- arts <not-affected> (Uses absolute path to the sound backend)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
requested camserv removal
[lenny] - camserv <no-dsa> (Minor issue)
[etch] - camserv <no-dsa> (Minor issue)
[lenny] - collectd <no-dsa> (Minor issue)
[etch] - collectd <no-dsa> (Minor issue)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
[lenny] - gnash <no-dsa> (Minor issue)
[lenny] - gnu-smalltalk <no-dsa> (Minor issue)
[etch] - gnu-smalltalk <no-dsa> (Minor issue)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
[etch] - hamlib <no-dsa> (Minor issue)
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- kdelibs <not-affected> (dl_open open loads from fixed paths)
[lenny] - libannodex <no-dsa> (Minor issue)
[etch] - libannodex <no-dsa> (Minor issue)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
[lenny] - libtunepimp <no-dsa> (Minor issue)
[etch] - libtunepimp <no-dsa> (Minor issue)
[etch] - mp4h <no-dsa> (Minor issue)
[lenny] - mp4h <no-dsa> (Minor issue)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
[lenny] - pinball <no-dsa> (Minor issue)
[etch] - pinball <no-dsa> (Minor issue)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - siproxd <no-dsa> (Minor issue)
[etch] - siproxd <no-dsa> (Minor issue)
[lenny] - synfig <no-dsa> (Minor issue)
Embedded code copy isn't used
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
[lenny] - imagemagick <no-dsa> (Minor issue)
[etch] - imagemagick <no-dsa> (Minor issue)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
[lenny] - lam <no-dsa> (Minor issue)
[etch] - lam <no-dsa> (Minor issue)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
users with write access can modify configuration to load new extensions, see #559837
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
[lenny] - sdcc <no-dsa> (Minor issue)
[etch] - sdcc <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
[lenny] - babel <no-dsa> (Minor issue)
[etch] - libprelude <no-dsa> (Minor issue)
the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
might've been fixed earlier

Search for package or bug name: Reporting problems