Bug#559803: cvsnt: diff for NMU version 2.5.04.3236-1.2

Sun, 24 Jan 2010 08:55:26 -0800 

tags 559803 + patch
thanks

Dear Andreas,

I have prepared an NMU for cvsnt (version 2.5.04.3236-1.2) to use
the system libtool/libltdl instead of its own bundled version,
according to Policy §4.13, thus fixing CVE-2009-3736.

As was suggested here at the BSP, I’ll have it uploaded into
unstable instead of a DELAYED/2, since it’s a security issue.

bye,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.   -- Rob Pike in "Notes on Programming in C"
reverted: cvsnt-2.5.04.3236/config.sub
reverted: cvsnt-2.5.04.3236/config.guess
(note, these will be auto-reverted by debian/rules clean anyway, hence
the diff for these is not included for brevity)
diff -u cvsnt-2.5.04.3236/debian/control cvsnt-2.5.04.3236/debian/control
--- cvsnt-2.5.04.3236/debian/control
+++ cvsnt-2.5.04.3236/debian/control
@@ -3,7 +3,8 @@
 Priority: optional
 Maintainer: Andreas Tscharner <a...@vis.ethz.ch>
 Uploaders: Christian Bayle <ba...@debian.org>
-Build-Depends: debhelper (>= 7.0.17), autotools-dev, zlib1g-dev, 
libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev, 
libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch
+Build-Depends: debhelper (>= 7.0.17), autotools-dev, zlib1g-dev, 
libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev, 
libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch, autoconf (>= 
2.61~), automake1.10, libltdl-dev, libtool
+Build-Conflicts: autoconf2.13, automake1.4
 Standards-Version: 3.8.1
 Homepage: http://www.cvsnt.org/wiki/Download
 
diff -u cvsnt-2.5.04.3236/debian/changelog cvsnt-2.5.04.3236/debian/changelog
--- cvsnt-2.5.04.3236/debian/changelog
+++ cvsnt-2.5.04.3236/debian/changelog
@@ -1,3 +1,11 @@
+cvsnt (2.5.04.3236-1.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Use autoreconf in order to use system libltdl instead of the bundled
+    one (upgrading from 1.x to 2.2). (Closes: #559803) (CVE-2009-3736)
+
+ -- Thorsten Glaser <t...@mirbsd.de>  Sun, 24 Jan 2010 15:40:34 +0000
+
 cvsnt (2.5.04.3236-1.1) unstable; urgency=medium
 
   [Jari Aalto]
diff -u cvsnt-2.5.04.3236/debian/rules cvsnt-2.5.04.3236/debian/rules
--- cvsnt-2.5.04.3236/debian/rules
+++ cvsnt-2.5.04.3236/debian/rules
@@ -27,15 +27,16 @@
        CFLAGS += -O2
 endif
 
-config.status: configure
+config.status: patch-stamp configure.in
        dh_testdir
+       autoreconf -fvi
        # Add here commands to configure the package.
-       CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) 
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man 
--infodir=\$${prefix}/share/info
+       CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) 
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man 
--infodir=\$${prefix}/share/info --without-included-ltdl
 
 
 build: build-stamp
 
-build-stamp:  config.status patch-stamp
+build-stamp:  config.status
        dh_testdir
 
        # Add here commands to compile the package.
@@ -51,13 +52,22 @@
 
        # Add here commands to clean up after the build process.
        [ ! -f Makefile ] || $(MAKE) distclean
-ifneq "$(wildcard /usr/share/misc/config.sub)" ""
-       cp -f /usr/share/misc/config.sub config.sub
-endif
-ifneq "$(wildcard /usr/share/misc/config.guess)" ""
-       cp -f /usr/share/misc/config.guess config.guess
-endif
 
+       rm -rf aclocal.m4 libltdl config.guess config.sub pcre/aclocal.m4 \
+           pcre/config.h.in pcre/configure pcre/ltmain.sh zlib/zconf.h \
+           INSTALL config.h.in configure depcomp install-sh ltmain.sh \
+           missing mkinstalldirs
+       find . -name Makefile.in | while read name; do \
+               test '!' -e "$${name%in}am" || rm -f "$$name"; \
+       done
+       cd libxml && rm -f INSTALL aclocal.m4 config.guess config.h.in \
+           config.sub configure depcomp install-sh ltmain.sh missing \
+           mkinstalldirs
+       cd protocols/ntlm && rm -f m4/libtool.m4 m4/ltoptions.m4 \
+           m4/ltsugar.m4 m4/ltversion.m4 m4/'lt~obsolete.m4' INSTALL \
+           aclocal.m4 config.guess config.h.in config.sub configure \
+           depcomp install-sh ltmain.sh missing mkinstalldirs
+       mkdir libltdl
 
        dh_clean version_check
 
diff -u cvsnt-2.5.04.3236/debian/patches/01_config.dpatch 
cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
--- cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
+++ cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
@@ -1,28 +1,54 @@
-#! /bin/sh -e
+#! /bin/sh /usr/share/dpatch/dpatch-run
 ## config.dpatch
-## Ralf Treinen <trei...@debian.org>
+## Thorsten Glaser <t...@mirbsd.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: replace all config.{guess,sub} by the vesion installed in
-## DP: /usr/share/misc
+## DP: fix autoconf system to work with libtool 2.2
 
-dpatch_patch ()
-{
-       find . -name config.guess -o -name config.sub \
-               | tar cf debian/patched/config.guess+sub.tar -T -
-       find . -name config.guess \
-               -exec ln -sf /usr/share/misc/config.guess '{}' \;
-       find . -name config.sub \
-               -exec ln -sf /usr/share/misc/config.sub '{}' \;
-}
+...@dpatch@
 
-dpatch_unpatch ()
-{
-       tar xf debian/patched/config.guess+sub.tar
-}
-
-DPATCH_LIB_NO_DEFAULT=1
-
-. /usr/share/dpatch/dpatch.lib.sh
-
-# arch-tag: 8a610a57-687b-4395-8ff2-79265c0a4eb3
+--- cvsnt-2.5.04.3236.orig/acinclude.m4
++++ cvsnt-2.5.04.3236/acinclude.m4
+@@ -8,7 +8,7 @@
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.  */
+ 
+-AC_DEFUN(ACX_WITH_GSSAPI,[
++AC_DEFUN([ACX_WITH_GSSAPI],[
+ #
+ # Use --with-gssapi[=DIR] to enable GSSAPI support.
+ #
+@@ -487,7 +487,7 @@
+       [$2],
+       [echo "$as_me: failed program was:" >&AS_MESSAGE_LOG_FD
+ cat conftest.$ac_ext >&AS_MESSAGE_LOG_FD
+-m4_ifvaln([$3],[$3])dnl])dnl
++m4_ifvaln([$3],[$3])dnl])
+ ac_compile="$glib_ac_compile_save"
+ rm -f conftest.$ac_objext conftest.err m4_ifval([$1], [conftest.$ac_ext])[]dnl
+ ])# GLIB_CHECK_COMPILE_WARNINGS
+--- cvsnt-2.5.04.3236.orig/configure.in
++++ cvsnt-2.5.04.3236/configure.in
+@@ -23,19 +23,12 @@
+ CFLAGS="$CFLAGS $OPTFLAGS"
+ CXXFLAGS="$CXXFLAGS $OPTFLAGS"
+ 
+-AC_LIBTOOL_DLOPEN
+-AC_LIBLTDL_CONVENIENCE
+-AC_CONFIG_SUBDIRS(libltdl)
++LT_CONFIG_LTDL_DIR([libltdl])
++LT_INIT([dlopen])
++LTDL_INIT([subproject convenience])
+ AC_SUBST(INCLTDL)
+ AC_SUBST(LIBLTDL)
+ 
+-# For broken libtools (eg. the one in debian sarge) where AC_LIBTOOL_PICMODE
+-# is nonfunctional and the defaults are backwards..
+-if test "${with_pic+set}" != set; then
+-   with_pic="yes"
+-fi
+-AC_PROG_LIBTOOL
+-
+ AC_PATH_PROG(PERL, perl, no)
+ AC_PATH_PROG(CSH, csh, no)
+ AC_PATH_PROG(PR, pr, no)

Reply via email to