[ember/f15/master] Fix for CVE-2010-3355 (bug 638381).
Bruno Wolff III
bruno at fedoraproject.org
Sat Mar 12 19:31:58 UTC 2011
commit 79c9ca2aa489aea4b180b4c727e29b1c5fce5655
Author: Bruno Wolff III <bruno at wolff.to>
Date: Sat Mar 12 13:29:56 2011 -0600
Fix for CVE-2010-3355 (bug 638381).
ember-no-ld-needed.patch | 20 ++++++++++++++++++++
ember.spec | 10 +++++++---
2 files changed, 27 insertions(+), 3 deletions(-)
---
diff --git a/ember-no-ld-needed.patch b/ember-no-ld-needed.patch
new file mode 100644
index 0000000..a673dba
--- /dev/null
+++ b/ember-no-ld-needed.patch
@@ -0,0 +1,20 @@
+--- ember.orig 2011-03-12 13:23:04.000000000 -0600
++++ ember 2011-03-12 13:24:52.000000000 -0600
+@@ -56,10 +56,13 @@
+ datadir=${prefix}/share/ember
+ media_user_dir=${datadir}/media/user
+
+-LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
+-LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
+-export LD_LIBRARY
+-export LD_LIBRARY_PATH
++# ember doesn't install any libraries and doesn't need to do the stuff below.
++# The stuff below is also a low level security risk when LD_LIBRARY_PATH
++# is empty before running the script.
++#LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
++#LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
++#export LD_LIBRARY
++#export LD_LIBRARY_PATH
+
+
+ homedata=$HOME/.ember
diff --git a/ember.spec b/ember.spec
index 13e2dee..4ce595e 100644
--- a/ember.spec
+++ b/ember.spec
@@ -1,6 +1,6 @@
Name: ember
Version: 0.6.0
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: 3D client for WorldForge
Group: Amusements/Games
@@ -8,6 +8,7 @@ License: GPLv3+
URL: http://www.worldforge.org/dev/eng/clients/ember
Source0: http://downloads.sourceforge.net/worldforge/%{name}-%{version}.tar.bz2
Patch1: ember-0.6.0-fix_implicit_dso.patch
+Patch2: ember-no-ld-needed.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel tinyxml-devel DevIL-devel cegui-devel ogre-devel
@@ -27,6 +28,7 @@ It uses the Ogre 3D engine with CEGUI.
%prep
%setup -q
%patch1 -p1
+%patch2
# Encoding fix
iconv -f iso-8859-1 -t utf-8 AUTHORS > AUTHORS.conv && mv -f AUTHORS.conv AUTHORS
@@ -84,9 +86,11 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_sysconfdir}/%{name}
%config %{_sysconfdir}/%{name}/*
-
-
%changelog
+* Sat Mar 12 2011 Bruno Wolff III <bruno at wolff.to> - 0.6.0-5
+- Fix low level security risk (CVE-2010-3355 bug 638381)
+- Avoid pointlessly munging LD_LIBRARY_PATH
+
* Thu Mar 10 2011 Bruno Wolff III <bruno at wolff.to> - 0.6.0-4
- Rebuild for new boost and ogre.
More information about the scm-commits
mailing list