[ardour/f14/master] - Fix CVE-2010-3349 RHBZ#638365

Orcan Ogetbil oget at fedoraproject.org
Wed Sep 29 19:50:50 UTC 2010 

commit 5a18d11acfb67edb3c781787ecb2ff6d456b4db7
Author: Orcan Ogetbil <oget.fedora at gmail.com>
Date:   Wed Sep 29 15:48:39 2010 -0400

    - Fix CVE-2010-3349 RHBZ#638365

 ardour-safe-env-vars.patch |   14 ++++++++++++++
 ardour.spec                |    9 ++++++++-
 2 files changed, 22 insertions(+), 1 deletions(-)
---
diff --git a/ardour-safe-env-vars.patch b/ardour-safe-env-vars.patch
new file mode 100644
index 0000000..2d04406
--- /dev/null
+++ b/ardour-safe-env-vars.patch
@@ -0,0 +1,14 @@
+diff -rupN ardour-2.8.11.old/gtk2_ardour/ardour.sh.in ardour-2.8.11/gtk2_ardour/ardour.sh.in
+--- ardour-2.8.11.old/gtk2_ardour/ardour.sh.in	2009-02-24 07:37:42.000000000 -0500
++++ ardour-2.8.11/gtk2_ardour/ardour.sh.in	2010-09-29 15:23:27.000000000 -0400
+@@ -1,8 +1,8 @@
+ #!/bin/sh
+ 
+-export GTK_PATH=%INSTALL_PREFIX%/%LIBDIR%/ardour2:$GTK_PATH
++export GTK_PATH=%INSTALL_PREFIX%/%LIBDIR%/ardour2${GTK_PATH:+:$GTK_PATH}
+ 
+-export LD_LIBRARY_PATH=%INSTALL_PREFIX%/%LIBDIR%/ardour2:$LD_LIBRARY_PATH 
++export LD_LIBRARY_PATH=%INSTALL_PREFIX%/%LIBDIR%/ardour2${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+ # DYLD_LIBRARY_PATH is for Darwin
+ export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
+ 
diff --git a/ardour.spec b/ardour.spec
index aa49619..e404a66 100644
--- a/ardour.spec
+++ b/ardour.spec
@@ -1,7 +1,7 @@
 Summary:       Multichannel Digital Audio Workstation
 Name:          ardour
 Version:       2.8.11
-Release:       3%{?dist}
+Release:       4%{?dist}
 # No more direct links. Download from
 # http://ardour.org/download
 Source:        ardour-%{version}.tar.bz2
@@ -9,6 +9,9 @@ Source2:       ardour.script
 Patch0:        ardour-SConscript.patch
 Patch1:        ardour-2.8-session.cc-no_stomp.patch
 Patch3:        ardour-2.5-HOST_NOT_FOUND.patch
+# Fix CVE-2010-3349 RHBZ#638365
+# From upstream CVS 2.0 branch
+Patch4:        ardour-safe-env-vars.patch
 URL:           http://ardour.org
 License:       GPLv2+
 Group:         Applications/Multimedia
@@ -64,6 +67,7 @@ digital mixers.
 %patch0 -p1 -b .SConscript
 %patch1 -p1 -b .no_stomp
 %patch3 -p0 -b .host.not.found
+%patch4 -p1 -b .safe.env
 
 # Fix encodings:
 iconv -f ISO-8859-1 -t UTF8 ardour.1.fr > ardour.1.fr.tmp
@@ -177,6 +181,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_mandir}/ru/man1/ardour.1*
 
 %changelog
+* Wed Sep 29 2010 Orcan Ogetbil <oget [DOT] fedora [AT] gmail [DOT] com> 2.8.11-4
+- Fix CVE-2010-3349 RHBZ#638365
+
 * Tue Jul 27 2010 Orcan Ogetbil <oget[DOT]fedora[AT]gmail[DOT]com> - 2.8.11-3
 - Rebuild on F-14 against new boost

More information about the scm-commits mailing list