[ember/f14/master] Fix for CVE-2010-3355 (bug 638381).
Bruno Wolff III
bruno at fedoraproject.org
Sat Mar 12 19:41:47 UTC 2011
commit d26719a405e52a9627db846af20cffd5758ead1f
Author: Bruno Wolff III <bruno at wolff.to>
Date: Sat Mar 12 13:40:09 2011 -0600
Fix for CVE-2010-3355 (bug 638381).
ember-no-ld-needed.patch | 20 ++++++++++++++++++++
ember.spec | 8 +++++++-
2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/ember-no-ld-needed.patch b/ember-no-ld-needed.patch
new file mode 100644
index 0000000..a673dba
--- /dev/null
+++ b/ember-no-ld-needed.patch
@@ -0,0 +1,20 @@
+--- ember.orig 2011-03-12 13:23:04.000000000 -0600
++++ ember 2011-03-12 13:24:52.000000000 -0600
+@@ -56,10 +56,13 @@
+ datadir=${prefix}/share/ember
+ media_user_dir=${datadir}/media/user
+
+-LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
+-LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
+-export LD_LIBRARY
+-export LD_LIBRARY_PATH
++# ember doesn't install any libraries and doesn't need to do the stuff below.
++# The stuff below is also a low level security risk when LD_LIBRARY_PATH
++# is empty before running the script.
++#LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
++#LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
++#export LD_LIBRARY
++#export LD_LIBRARY_PATH
+
+
+ homedata=$HOME/.ember
diff --git a/ember.spec b/ember.spec
index 0e9bd50..2090435 100644
--- a/ember.spec
+++ b/ember.spec
@@ -1,6 +1,6 @@
Name: ember
Version: 0.5.6
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: 3D client for WorldForge
Group: Amusements/Games
@@ -9,6 +9,7 @@ URL: http://www.worldforge.org/dev/eng/clients/ember
Source0: http://downloads.sourceforge.net/worldforge/%{name}-%{version}.tar.bz2
Patch0: ember-0.5.6-gcc44.patch
Patch1: ember-0.5.6-fix_implicit_dso.patch
+Patch2: ember-no-ld-needed.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel tinyxml-devel DevIL-devel cegui-devel ogre-devel
@@ -27,6 +28,7 @@ It uses the Ogre 3D engine with CEGUI.
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2
# Encoding fix
iconv -f iso-8859-1 -t utf-8 AUTHORS > AUTHORS.conv && mv -f AUTHORS.conv AUTHORS
@@ -89,6 +91,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Sat Mar 12 2011 Bruno Wolff III <bruno at wolff.to> - 0.5.6-6
+- Fix low level security risk (CVE-2010-3355 bug 638381)
+- Avoid pointlessly munging LD_LIBRARY_PATH
+
* Sun Jul 4 2010 Michel Salim <salimma at fedoraproject.org> - 0.5.6-5
- Fix implicit DSO bug (#565162)
More information about the scm-commits
mailing list