Package: cmake Version: 2.6.0-5 Severity: important Tags: patch security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi it looks like cmake on Debian does not use system libraries much. Is there any specific reason for this? Currently curl, expat, zlib and xmlrpc libraries are included in CMake sources and they are used instead of system ones. This can lead to problems in case of security problem in one of them. Looking at curl, bundled version is 7.16.1 and it is affected at least by CVE-2007-3564. I did not investigate other embedded libraries... Using --system-libs parameter to bootstrap seems to fix this issue and cmake seems to work fine. In this case you also need to add build depends for used libraries. Hopefully I did not miss any in attached patch. CC to security team as version which includes old curl is already in testing. - -- Michal Čihař | http://cihar.com | http://blog.cihar.com - -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25.16-0.1-default (SMP w/2 CPU cores) Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages cmake depends on: ii libc6 2.7-15 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1 GCC support library ii libidn11 1.10-2.1 GNU libidn library, implementation ii libncurses5 5.6+20081004-1 shared libraries for terminal hand ii libssl0.9.8 0.9.8g-13 SSL shared libraries ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3 cmake recommends no packages. cmake suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkj3SdcACgkQ3DVS6DbnVgRFBACg6W4oF4uEoYMmnIDrolJnS22z 3YsAoOlvpNHG5Wv16OF1BKkSh9CIHG/L =6LYo -----END PGP SIGNATURE-----
diff -u cmake-2.6.2/debian/control cmake-2.6.2/debian/control --- cmake-2.6.2/debian/control +++ cmake-2.6.2/debian/control @@ -4,7 +4,7 @@ Maintainer: A. Maitland Bottoms <[EMAIL PROTECTED]> Uploaders: Pierre Habouzit <[EMAIL PROTECTED]>, Modestas Vainius <[EMAIL PROTECTED]> DM-Upload-Allowed: yes -Build-Depends: debhelper (>= 6.0.7~), libncurses5-dev, tcl8.4, quilt, libcurl4-gnutls-dev +Build-Depends: debhelper (>= 6.0.7~), libncurses5-dev, tcl8.4, quilt, libcurl4-gnutls-dev, libxmlrpc-c3-dev, libexpat1-dev, zlib1g-dev Standards-Version: 3.8.0 Package: cmake diff -u cmake-2.6.2/debian/rules cmake-2.6.2/debian/rules --- cmake-2.6.2/debian/rules +++ cmake-2.6.2/debian/rules @@ -38,7 +38,7 @@ echo CMAKE_CXX_FLAGS:STRING=$(CFLAGS) >> Build/CMakeCache.txt $(if $(USE_DARTP),echo DART_ROOT:PATH=/usr/share/Dart >> Build/CMakeCache.txt) $(if $(USE_DARTP),echo BUILDNAME:STRING=cmake_2.2.3-1_$(DARCH).deb >> Build/CMakeCache.txt) - cd Build && ../bootstrap --prefix=/usr --docdir=/share/doc/cmake --mandir=/share/man + cd Build && ../bootstrap --prefix=/usr --docdir=/share/doc/cmake --mandir=/share/man --system-libs chmod -x ChangeLog.manual chmod -x Modules/*.cmake Modules/*.cmake.in Modules/*.cxx Modules/Platform/* touch $@