rpms/libtool/F-10 libtool-1.5.22-CVE-2009-3736.patch, NONE, 1.1 libtool.spec, 1.63, 1.64
Karsten Hopp
karsten at fedoraproject.org
Wed Dec 2 11:39:33 UTC 2009
Author: karsten
Update of /cvs/extras/rpms/libtool/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7207
Modified Files:
libtool.spec
Added Files:
libtool-1.5.22-CVE-2009-3736.patch
Log Message:
- add fix for CVE-2009-3736:
libltdl may load and execute code from a library in the current directory
libtool-1.5.22-CVE-2009-3736.patch:
ltdl.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
--- NEW FILE libtool-1.5.22-CVE-2009-3736.patch ---
diff -urN libtool-1.5.26.orig/libltdl/ltdl.c libtool-1.5.26/libltdl/ltdl.c
--- libtool-1.5.26.orig/libltdl/ltdl.c 2007-11-15 13:36:41.000000000 -0600
+++ libtool-1.5.26/libltdl/ltdl.c 2009-11-15 21:13:37.000000000 -0600
@@ -2192,7 +2192,8 @@
static int try_dlopen LT_PARAMS((lt_dlhandle *handle,
const char *filename));
static int tryall_dlopen LT_PARAMS((lt_dlhandle *handle,
- const char *filename));
+ const char *filename,
+ const char * useloader));
static int unload_deplibs LT_PARAMS((lt_dlhandle handle));
static int lt_argz_insert LT_PARAMS((char **pargz,
size_t *pargz_len,
@@ -2390,9 +2391,10 @@
}
static int
-tryall_dlopen (handle, filename)
+tryall_dlopen (handle, filename, useloader)
lt_dlhandle *handle;
const char *filename;
+ const char *useloader;
{
lt_dlhandle cur;
lt_dlloader *loader;
@@ -2459,6 +2461,11 @@
while (loader)
{
+ if (useloader && strcmp(loader->loader_name, useloader))
+ {
+ loader = loader->next;
+ continue;
+ }
lt_user_data data = loader->dlloader_data;
cur->module = loader->module_open (data, filename);
@@ -2528,7 +2535,7 @@
error += tryall_dlopen_module (handle,
(const char *) 0, prefix, filename);
}
- else if (tryall_dlopen (handle, filename) != 0)
+ else if (tryall_dlopen (handle, filename, NULL) != 0)
{
++error;
}
@@ -2549,7 +2556,7 @@
/* Try to open the old library first; if it was dlpreopened,
we want the preopened version of it, even if a dlopenable
module is available. */
- if (old_name && tryall_dlopen (handle, old_name) == 0)
+ if (old_name && tryall_dlopen (handle, old_name, "dlpreload") == 0)
{
return 0;
}
@@ -2813,7 +2820,7 @@
/* Try to dlopen the file, but do not continue searching in any
case. */
- if (tryall_dlopen (handle, filename) != 0)
+ if (tryall_dlopen (handle, filename,NULL) != 0)
*handle = 0;
return 1;
@@ -3103,7 +3110,7 @@
/* lt_dlclose()ing yourself is very bad! Disallow it. */
LT_DLSET_FLAG (*phandle, LT_DLRESIDENT_FLAG);
- if (tryall_dlopen (&newhandle, 0) != 0)
+ if (tryall_dlopen (&newhandle, 0, NULL) != 0)
{
LT_DLFREE (*phandle);
return 1;
@@ -3225,7 +3232,7 @@
}
#endif
}
- if (!file)
+ else
{
file = fopen (filename, LT_READTEXT_MODE);
}
@@ -3412,7 +3419,7 @@
#endif
)))
{
- if (tryall_dlopen (&newhandle, filename) != 0)
+ if (tryall_dlopen (&newhandle, filename, NULL) != 0)
{
newhandle = NULL;
}
Index: libtool.spec
===================================================================
RCS file: /cvs/extras/rpms/libtool/F-10/libtool.spec,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -p -r1.63 -r1.64
--- libtool.spec 29 Aug 2008 22:21:39 -0000 1.63
+++ libtool.spec 2 Dec 2009 11:39:33 -0000 1.64
@@ -3,7 +3,7 @@
Summary: The GNU Portable Library Tool
Name: libtool
Version: 1.5.26
-Release: 4%{?dist}
+Release: 4%{?dist}.1
License: GPLv2+ and LGPLv2+ and GFDL
Group: Development/Tools
Source: http://ftp.gnu.org/gnu/libtool/libtool-%{version}.tar.gz
@@ -13,9 +13,7 @@ Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
Patch1: libtool-1.5.24-multilib.patch
-# don't read .la file in current working directory, root might get tricked
-# into running a prepared binary in that directory:
-Patch2: libtool-1.5.24-relativepath.patch
+Patch2: libtool-1.5.22-CVE-2009-3736.patch
BuildRequires: autoconf >= 2.59, automake >= 1.9.2, texinfo
Requires: autoconf >= 2.58, automake >= 1.4
@@ -152,6 +150,10 @@ fi
%changelog
+* Wed Dec 02 2009 Karsten Hopp <karsten at redhat.com> 1.5.26-4.1
+- add fix for CVE-2009-3736:
+ libltdl may load and execute code from a library in the current directory
+
* Fri Aug 29 2008 Dennis Gilmore <dennis at ausil.us> 1.5.26-4
- rebuild for gcc-4.3.2
More information about the fedora-extras-commits
mailing list