[ember/f15/master] Fix for CVE-2010-3355 (bug 638381).

Bruno Wolff III bruno at fedoraproject.org
Sat Mar 12 19:31:58 UTC 2011 

commit 79c9ca2aa489aea4b180b4c727e29b1c5fce5655
Author: Bruno Wolff III <bruno at wolff.to>
Date:   Sat Mar 12 13:29:56 2011 -0600

    Fix for CVE-2010-3355 (bug 638381).

 ember-no-ld-needed.patch |   20 ++++++++++++++++++++
 ember.spec               |   10 +++++++---
 2 files changed, 27 insertions(+), 3 deletions(-)
---
diff --git a/ember-no-ld-needed.patch b/ember-no-ld-needed.patch
new file mode 100644
index 0000000..a673dba
--- /dev/null
+++ b/ember-no-ld-needed.patch
@@ -0,0 +1,20 @@
+--- ember.orig	2011-03-12 13:23:04.000000000 -0600
++++ ember	2011-03-12 13:24:52.000000000 -0600
+@@ -56,10 +56,13 @@
+ datadir=${prefix}/share/ember
+ media_user_dir=${datadir}/media/user
+ 
+-LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
+-LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
+-export LD_LIBRARY
+-export LD_LIBRARY_PATH
++# ember doesn't install any libraries and doesn't need to do the stuff below.
++# The stuff below is also a low level security risk when LD_LIBRARY_PATH
++# is empty before running the script.
++#LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
++#LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
++#export LD_LIBRARY
++#export LD_LIBRARY_PATH
+ 
+ 
+ homedata=$HOME/.ember
diff --git a/ember.spec b/ember.spec
index 13e2dee..4ce595e 100644
--- a/ember.spec
+++ b/ember.spec
@@ -1,6 +1,6 @@
 Name:           ember
 Version:        0.6.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        3D client for WorldForge
 
 Group:          Amusements/Games
@@ -8,6 +8,7 @@ License:        GPLv3+
 URL:            http://www.worldforge.org/dev/eng/clients/ember
 Source0:        http://downloads.sourceforge.net/worldforge/%{name}-%{version}.tar.bz2
 Patch1:         ember-0.6.0-fix_implicit_dso.patch
+Patch2:         ember-no-ld-needed.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  SDL-devel tinyxml-devel DevIL-devel cegui-devel ogre-devel
@@ -27,6 +28,7 @@ It uses the Ogre 3D engine with CEGUI.
 %prep
 %setup -q
 %patch1 -p1
+%patch2
 
 # Encoding fix
 iconv -f iso-8859-1 -t utf-8 AUTHORS > AUTHORS.conv && mv -f AUTHORS.conv AUTHORS
@@ -84,9 +86,11 @@ rm -rf $RPM_BUILD_ROOT
 %dir %{_sysconfdir}/%{name}
 %config %{_sysconfdir}/%{name}/*
 
-
-
 %changelog
+* Sat Mar 12 2011 Bruno Wolff III <bruno at wolff.to> - 0.6.0-5
+- Fix low level security risk (CVE-2010-3355 bug 638381)
+- Avoid pointlessly munging LD_LIBRARY_PATH
+
 * Thu Mar 10 2011 Bruno Wolff III <bruno at wolff.to> - 0.6.0-4
 - Rebuild for new boost and ogre.

More information about the scm-commits mailing list