Vulnerability Description
ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Libtool | 1.5 |
References
- ftp://ftp.gnu.org/gnu/libtool/libtool-2.2.6a-2.2.6b.diff.gzPatch
- http://git.savannah.gnu.org/cgit/libtool.git/commit/?h=branch-1-5&id=29b48580df7Patch
- http://hamlib.svn.sourceforge.net/viewvc/hamlib/trunk/libltdl/Makefile.am?revisi
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035133.h
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035168.h
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054656.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054915.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054921.html
- http://lists.gnu.org/archive/html/libtool/2009-11/msg00059.htmlPatch
- http://lists.gnu.org/archive/html/libtool/2009-11/msg00065.htmlPatch
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://secunia.com/advisories/37414Vendor Advisory
- http://secunia.com/advisories/37489Vendor Advisory
- http://secunia.com/advisories/37997
FAQ
What is CVE-2009-3736?
CVE-2009-3736 is a vulnerability with a CVSS score of 6.9 (MEDIUM). ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, w...
How severe is CVE-2009-3736?
CVE-2009-3736 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3736?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Libtool.