[ember/f14/master] Fix for CVE-2010-3355 (bug 638381).

Bruno Wolff III bruno at fedoraproject.org
Sat Mar 12 19:41:47 UTC 2011 

commit d26719a405e52a9627db846af20cffd5758ead1f
Author: Bruno Wolff III <bruno at wolff.to>
Date:   Sat Mar 12 13:40:09 2011 -0600

    Fix for CVE-2010-3355 (bug 638381).

 ember-no-ld-needed.patch |   20 ++++++++++++++++++++
 ember.spec               |    8 +++++++-
 2 files changed, 27 insertions(+), 1 deletions(-)
---
diff --git a/ember-no-ld-needed.patch b/ember-no-ld-needed.patch
new file mode 100644
index 0000000..a673dba
--- /dev/null
+++ b/ember-no-ld-needed.patch
@@ -0,0 +1,20 @@
+--- ember.orig	2011-03-12 13:23:04.000000000 -0600
++++ ember	2011-03-12 13:24:52.000000000 -0600
+@@ -56,10 +56,13 @@
+ datadir=${prefix}/share/ember
+ media_user_dir=${datadir}/media/user
+ 
+-LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
+-LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
+-export LD_LIBRARY
+-export LD_LIBRARY_PATH
++# ember doesn't install any libraries and doesn't need to do the stuff below.
++# The stuff below is also a low level security risk when LD_LIBRARY_PATH
++# is empty before running the script.
++#LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
++#LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
++#export LD_LIBRARY
++#export LD_LIBRARY_PATH
+ 
+ 
+ homedata=$HOME/.ember
diff --git a/ember.spec b/ember.spec
index 0e9bd50..2090435 100644
--- a/ember.spec
+++ b/ember.spec
@@ -1,6 +1,6 @@
 Name:           ember
 Version:        0.5.6
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        3D client for WorldForge
 
 Group:          Amusements/Games
@@ -9,6 +9,7 @@ URL:            http://www.worldforge.org/dev/eng/clients/ember
 Source0:        http://downloads.sourceforge.net/worldforge/%{name}-%{version}.tar.bz2
 Patch0:         ember-0.5.6-gcc44.patch
 Patch1:         ember-0.5.6-fix_implicit_dso.patch
+Patch2:         ember-no-ld-needed.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  SDL-devel tinyxml-devel DevIL-devel cegui-devel ogre-devel
@@ -27,6 +28,7 @@ It uses the Ogre 3D engine with CEGUI.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2
 
 # Encoding fix
 iconv -f iso-8859-1 -t utf-8 AUTHORS > AUTHORS.conv && mv -f AUTHORS.conv AUTHORS
@@ -89,6 +91,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sat Mar 12 2011 Bruno Wolff III <bruno at wolff.to> - 0.5.6-6
+- Fix low level security risk (CVE-2010-3355 bug 638381)
+- Avoid pointlessly munging LD_LIBRARY_PATH
+
 * Sun Jul  4 2010 Michel Salim <salimma at fedoraproject.org> - 0.5.6-5
 - Fix implicit DSO bug (#565162)

More information about the scm-commits mailing list