jreznik pushed to arts (epel7). "fix security issues in libltdl CVE-2009-3736"

notifications at fedoraproject.org notifications at fedoraproject.org
Thu Apr 2 15:11:54 UTC 2015 

>From baca44a1aa7938ad29a66408003c1572083a6e8a Mon Sep 17 00:00:00 2001
From: Than Ngo <than at fedoraproject.org>
Date: Mon, 7 Dec 2009 14:52:14 +0000
Subject: fix security issues in libltdl CVE-2009-3736


diff --git a/arts.spec b/arts.spec
index 3845d1b..7ed0a69 100644
--- a/arts.spec
+++ b/arts.spec
@@ -3,7 +3,6 @@
 
 %define multilib_arches %{ix86} x86_64 ppc ppc64 s390 s390x sparcv9 sparc64
 
-%define final 1 
 %define make_cvs 1
 
 Name:    arts
@@ -30,6 +29,9 @@ Patch50: arts-1.5.4-dlopenext.patch
 Patch51: kde-3.5-libtool-shlibext.patch
 # upstream patches
 
+# security patches
+# CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory 
+Patch200: libltdl-CVE-2009-3736.patch
 
 # used in artsdsp
 Requires: which
@@ -81,6 +83,8 @@ Install %{name}-devel if you intend to write applications using aRts.
 %patch50 -p1 -b .dlopenext
 %patch51 -p1 -b .libtool-shlibext
 
+%patch200 -p1 -b .CVE-2009-3736
+
 %if %{make_cvs}
 # hack/fix for newer automake
   sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
@@ -99,9 +103,7 @@ unset QTDIR && . /etc/profile.d/qt.sh
   --enable-new-ldflags \
   --disable-libmad \
   --with-alsa \
-%if 0%{?final}
   --enable-final
-%endif
 
 ## hack for artsdsp (see http://bugzilla.redhat.com/329671)
 #make %{?_smp_mflags} -k || \
@@ -187,6 +189,7 @@ rm -rf  %{buildroot}
 %changelog
 * Sun Dec 06 2009 Than Ngo <than at redhat.com> - 1.5.10-9
 - fix url
+- fix security issues in libltdl (CVE-2009-3736)
 
 * Wed Sep 02 2009 Than Ngo <than at redhat.com> - 1.5.10-8
 - drop support fedora < 10
diff --git a/libltdl-CVE-2009-3736.patch b/libltdl-CVE-2009-3736.patch
new file mode 100644
index 0000000..d49c117
--- /dev/null
+++ b/libltdl-CVE-2009-3736.patch
@@ -0,0 +1,22 @@
+diff -ur arts-orig/libltdl/ltdl.c arts-1.1.3/libltdl/ltdl.c
+--- arts-orig/libltdl/ltdl.c	2003-07-13 21:33:39.000000000 +0200
++++ arts-1.1.3/libltdl/ltdl.c	2009-11-19 16:09:29.000000000 +0100
+@@ -1544,7 +1544,8 @@
+   /* try to open the old library first; if it was dlpreopened,
+      we want the preopened version of it, even if a dlopenable
+      module is available */
+-  if (old_name && tryall_dlopen(handle, old_name) == 0)
++  if (old_name && tryall_dlopen(handle, old_name,
++                                advise, lt_dlloader_find ("lt_preopen") ) == 0)
+     {
+       return 0;
+     }
+@@ -2158,7 +2159,7 @@
+ 	  }
+ #endif
+       }
+-    if (!file)
++    else
+       {
+ 	file = fopen (filename, LT_READTEXT_MODE);
+       }
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/arts.git/commit/?h=epel7&id=baca44a1aa7938ad29a66408003c1572083a6e8a

More information about the scm-commits mailing list