rpms/arts/F-11 libltdl-CVE-2009-3736.patch, NONE, 1.1 arts.spec, 1.93, 1.94

Than Ngo than at fedoraproject.org
Mon Dec 7 14:54:20 UTC 2009 

Author: than

Update of /cvs/extras/rpms/arts/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21082

Modified Files:
	arts.spec 
Added Files:
	libltdl-CVE-2009-3736.patch 
Log Message:
fix security issues in libltdl CVE-2009-3736


libltdl-CVE-2009-3736.patch:
 ltdl.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- NEW FILE libltdl-CVE-2009-3736.patch ---
diff -ur arts-orig/libltdl/ltdl.c arts-1.1.3/libltdl/ltdl.c
--- arts-orig/libltdl/ltdl.c	2003-07-13 21:33:39.000000000 +0200
+++ arts-1.1.3/libltdl/ltdl.c	2009-11-19 16:09:29.000000000 +0100
@@ -1544,7 +1544,8 @@
   /* try to open the old library first; if it was dlpreopened,
      we want the preopened version of it, even if a dlopenable
      module is available */
-  if (old_name && tryall_dlopen(handle, old_name) == 0)
+  if (old_name && tryall_dlopen(handle, old_name,
+                                advise, lt_dlloader_find ("lt_preopen") ) == 0)
     {
       return 0;
     }
@@ -2158,7 +2159,7 @@
 	  }
 #endif
       }
-    if (!file)
+    else
       {
 	file = fopen (filename, LT_READTEXT_MODE);
       }


Index: arts.spec
===================================================================
RCS file: /cvs/extras/rpms/arts/F-11/arts.spec,v
retrieving revision 1.93
retrieving revision 1.94
diff -u -p -r1.93 -r1.94
--- arts.spec	2 Mar 2009 16:16:08 -0000	1.93
+++ arts.spec	7 Dec 2009 14:54:20 -0000	1.94
@@ -3,36 +3,19 @@
 
 %define multilib_arches %{ix86} x86_64 ppc ppc64 s390 s390x sparcv9 sparc64
 
-%define final 1 
 %define make_cvs 1
 
-%if 0%{?fedora} < 10
-%define _with_esd --with-esd
-%define _with_nas --with-nas
-%if 0%{?rhel} == 0
-%define _with_jack --with-jack
-%endif
-%endif
-
-%if 0%{?fedora} > 8
-%define qt3 qt3
-%else
-%define qt3 qt
-%define qt3_epoch 1:
-%endif
-%define qt3_ev %{?qt3_epoch}3.3.8
-
 Name:    arts
 Summary: aRts (analog realtime synthesizer) - the KDE sound system 
 Group:   System Environment/Daemons
 Epoch:   8
 Version: 1.5.10
-Release: 5%{?dist}
+Release: 9%{?dist}
 
 License: LGPLv2+
 Url: http://www.kde.org
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Source0: ftp://ftp.kde.org/pub/kde/stable/%{version}/src/%{name}-%{version}.tar.bz2
+Source0: ftp://ftp.kde.org/pub/kde/stable/3.5.10/src/%{name}-%{version}.tar.bz2
 Source1: gslconfig-wrapper.h
 
 Patch1: arts-1.1.4-debug.patch
@@ -46,25 +29,22 @@ Patch50: arts-1.5.4-dlopenext.patch
 Patch51: kde-3.5-libtool-shlibext.patch
 # upstream patches
 
+# security patches
+# CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory 
+Patch200: libltdl-CVE-2009-3736.patch
 
 # used in artsdsp
 Requires: which
 
-BuildRequires: %{qt3}-devel >= %{qt3_ev}
-## Shouldn't be necessary, but some folks won't upgrade, unless we stiff-arm them.  (-;
-#global qt3_ver %(pkg-config qt-mt --modversion 2>/dev/null || echo %{qt3_ev})
-#Requires: %{qt3} >= %{qt3_ver}
+BuildRequires: qt3-devel >= 3.3.8
 BuildRequires: alsa-lib-devel
 BuildRequires: audiofile-devel
 %if %{make_cvs}
 BuildRequires: automake libtool
 %endif
-%{?_with_esd:BuildRequires: esound-devel}
 BuildRequires: findutils sed
 BuildRequires: glib2-devel
-%{?_with_jack:BuildRequires: jack-audio-connection-kit-devel}
 BuildRequires: libvorbis-devel
-%{?_with_nas:BuildRequires: nas-devel}
 BuildRequires: pkgconfig
 
 
@@ -83,8 +63,8 @@ playing a wave file with some effects.
 %package devel
 Group: Development/Libraries
 Summary: Development files for the aRts sound server
-Requires: %{name} = %{epoch}:%{version}-%{release}
-Requires: %{qt3}-devel
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: qt3-devel
 Requires: pkgconfig
 Requires: glib2-devel
 %description devel
@@ -103,7 +83,11 @@ Install %{name}-devel if you intend to w
 %patch50 -p1 -b .dlopenext
 %patch51 -p1 -b .libtool-shlibext
 
+%patch200 -p1 -b .CVE-2009-3736
+
 %if %{make_cvs}
+# hack/fix for newer automake
+  sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
   make -f admin/Makefile.common cvs
 %endif
 
@@ -119,12 +103,7 @@ unset QTDIR && . /etc/profile.d/qt.sh
   --enable-new-ldflags \
   --disable-libmad \
   --with-alsa \
-  %{?_with_esd} %{!?_with_esd:--without-esd} \
-  %{?_with_jack} %{!?_with_jack:--without-jack}\
-  %{?_with_nas} %{!?_with_nas:--without-nas} \
-%if 0%{?final}
   --enable-final
-%endif
 
 ## hack for artsdsp (see http://bugzilla.redhat.com/329671)
 #make %{?_smp_mflags} -k || \
@@ -208,6 +187,20 @@ rm -rf  %{buildroot}
 
 
 %changelog
+* Sun Dec 06 2009 Than Ngo <than at redhat.com> - 1.5.10-9
+- fix url
+- fix security issues in libltdl (CVE-2009-3736)
+
+* Wed Sep 02 2009 Than Ngo <than at redhat.com> - 1.5.10-8
+- drop support fedora < 10
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 8:1.5.10-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat Jul 18 2009 Rex Dieter <rdieter at fedoraproject.org> - 8:1.5.10-6
+- FTBFS arts-1.5.10-5.fc11 (#511653)
+- -devel: Requires: %%{name}%%_isa ...
+
 * Mon Mar 02 2009 Rex Dieter <rdieter at fedoraproject.org> - 8:1.5.10-5
 - s/i386/%%ix86/

More information about the fedora-extras-commits mailing list