Opened 23 years ago
Closed 18 years ago
#168 closed defect (fixed)
libtool-1.5.22
| Reported by: | Owned by: | Matthew Burgess | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Change History (40)
comment:1 by , 23 years ago
| dependson: | → 30 |
|---|---|
| Resolution: | → later |
| Status: | new → closed |
comment:2 by , 23 years ago
| Resolution: | later |
|---|---|
| Status: | closed → reopened |
comment:3 by , 23 years ago
| Summary: | libtool-1.4.1 → libtool-1.4.2 |
|---|
comment:4 by , 23 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → assigned |
comment:5 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:6 by , 22 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.4.2 → libtool-1.4.3 |
comment:7 by , 22 years ago
Has the current patch for libtool-1.4.2 (autoconf-2.53 related fixes) been submitted to the libtool maintainer? The patch is still valid as of 1.4.3.
comment:8 by , 21 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:9 by , 21 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:10 by , 21 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.4.3 → libtool-1.5 |
Version increment (1.5)
comment:11 by , 21 years ago
| Priority: | normal → highest |
|---|
comment:12 by , 21 years ago
| Status: | reopened → assigned |
|---|
comment:13 by , 21 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:14 by , 20 years ago
| dependson: | 30 |
|---|
comment:15 by , 20 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5 → libtool-1.5.2 |
Version increment (1.5.2)
comment:16 by , 20 years ago
lfs-book-cvs-html-2004-01-26/chapter06/libtool.html make check All 101 tests passed
comment:17 by , 20 years ago
| Priority: | highest → normal |
|---|
comment:18 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:19 by , 20 years ago
For paranoids:
Date: Fri, 30 Jan 2004 02:14:57 +0100 From: Stefan Nordhausen <deletethis.nordhaus@…> To: bugtraq@… Subject: Symlink Vulnerability in GNU libtool <1.5.2
Vulnerable: libtool <1.5.2 Not Vulnerable: libtool 1.5.2 Project website: http://www.gnu.org/software/libtool/libtool.html
Description of libtool (from website): "GNU libtool is a generic library support script. Libtool hides the complexity of using shared libraries behind a consistent, portable interface." Libtool is included with many packages that rely on it to handle libraries. As a result these packages are vulnerable as well.
Discussion: I found a symlink vulnerability in libtool prior to version 1.5.2. Libtool insecurely creates a temporary directory when a package using libtool is being compiled.
I want to point out that this bug is _only_ exploitable at compile time. The binaries that are produced during compilation are _not_ affected. As a result, systems that rely exclusively on binary packages are not affected at all.
Solution: Updating to libtool 1.5.2 (the current stable release) will eliminate the vulnerability. If you want to stick with your old version of libtool you can easily fix this bug yourself. In "ltmain.in" (or file "libtool", whichever applies for you) you should replace the line:
if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :with
if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
Packages sometimes bring their own version of libtool. As a result, fixing the libtool that is installed on your system may not be enough. To solve this problem, package maintainers should fix their packages if they use libtool!
Regards Stefan Nordhausen
-- Don't open your eyes, you won't like what you see. The blind have been blessed with security. Don't open your eyes, take it from me. I have found, you can find happiness in slavery.
Trent Reznor
comment:20 by , 20 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.2 → libtool-1.5.4 |
Version Increment (1.5.4)
comment:21 by , 20 years ago
See http://mail.gnu.org/archive/html/bug-libtool/2004-04/msg00017.html and http://mail.gnu.org/archive/html/bug-libtool/2004-04/msg00018.html for why we may want to wait until upgrading. Unfortuantely the NEWS file simply lists "bug fixes" as the differences in this version, so I personally have no way of knowing whether we are missing out on anything by holding off on this upgrade. I don't think it should go ito 5.1-pre2 at any rate.
Cheers,
Matt.
comment:23 by , 20 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:24 by , 20 years ago
| Status: | new → assigned |
|---|
comment:26 by , 20 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.6 → libtool-1.5.8 |
| Version: | CVS → SVN |
Version increment (1.5.8)
comment:27 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:28 by , 20 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.8 → libtool-1.5.10 |
Version increment (1.5.10)
comment:30 by , 19 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.10 → libtool-1.5.12 |
Version increment (1.5.12)
comment:31 by , 19 years ago
| Summary: | libtool-1.5.12 → libtool-1.5.14 |
|---|
Version increment (1.5.14) fixing a couple of regressions from 1.5.12. (thanks Kevin Fleming!)
comment:33 by , 19 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.14 → libtool-1.5.16 |
Version increment (1.5.16)
comment:34 by , 19 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:35 by , 19 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.16 → libtool-1.5.18 |
Version increment (1.5.18)
comment:36 by , 19 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:37 by , 19 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.18 → libtool-1.5.20 |
Version increment (1.5.20). Various bug fixes including: "Fix yet another regression with ownership of libltdl data files", so we can drop the 'chown' command.
comment:38 by , 19 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:39 by , 18 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | libtool-1.5.20 → libtool-1.5.22 |
Version increment (1.5.22). A few bug fixes, perhaps most importantly:
- Fix potential denial of service by malicious other users for tmpdir directory creation at relink time.
comment:40 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Version increment (1.4.3)