Package: cmake
Version: 2.6.0-5
Severity: important
Tags: patch security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
it looks like cmake on Debian does not use system libraries much. Is
there any specific reason for this? Currently curl, expat, zlib and
xmlrpc libraries are included in CMake sources and they are used instead
of system ones.
This can lead to problems in case of security problem in one of them.
Looking at curl, bundled version is 7.16.1 and it is affected at least
by CVE-2007-3564. I did not investigate other embedded libraries...
Using --system-libs parameter to bootstrap seems to fix this issue and
cmake seems to work fine. In this case you also need to add build
depends for used libraries. Hopefully I did not miss any in attached
patch.
CC to security team as version which includes old curl is already in
testing.
- --
Michal Čihař | http://cihar.com | http://blog.cihar.com
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.25.16-0.1-default (SMP w/2 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cmake depends on:
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libgcc1 1:4.3.2-1 GCC support library
ii libidn11 1.10-2.1 GNU libidn library, implementation
ii libncurses5 5.6+20081004-1 shared libraries for terminal hand
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
cmake recommends no packages.
cmake suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj3SdcACgkQ3DVS6DbnVgRFBACg6W4oF4uEoYMmnIDrolJnS22z
3YsAoOlvpNHG5Wv16OF1BKkSh9CIHG/L
=6LYo
-----END PGP SIGNATURE-----
diff -u cmake-2.6.2/debian/control cmake-2.6.2/debian/control
--- cmake-2.6.2/debian/control
+++ cmake-2.6.2/debian/control
@@ -4,7 +4,7 @@
Maintainer: A. Maitland Bottoms <[EMAIL PROTECTED]>
Uploaders: Pierre Habouzit <[EMAIL PROTECTED]>, Modestas Vainius <[EMAIL PROTECTED]>
DM-Upload-Allowed: yes
-Build-Depends: debhelper (>= 6.0.7~), libncurses5-dev, tcl8.4, quilt, libcurl4-gnutls-dev
+Build-Depends: debhelper (>= 6.0.7~), libncurses5-dev, tcl8.4, quilt, libcurl4-gnutls-dev, libxmlrpc-c3-dev, libexpat1-dev, zlib1g-dev
Standards-Version: 3.8.0
Package: cmake
diff -u cmake-2.6.2/debian/rules cmake-2.6.2/debian/rules
--- cmake-2.6.2/debian/rules
+++ cmake-2.6.2/debian/rules
@@ -38,7 +38,7 @@
echo CMAKE_CXX_FLAGS:STRING=$(CFLAGS) >> Build/CMakeCache.txt
$(if $(USE_DARTP),echo DART_ROOT:PATH=/usr/share/Dart >> Build/CMakeCache.txt)
$(if $(USE_DARTP),echo BUILDNAME:STRING=cmake_2.2.3-1_$(DARCH).deb >> Build/CMakeCache.txt)
- cd Build && ../bootstrap --prefix=/usr --docdir=/share/doc/cmake --mandir=/share/man
+ cd Build && ../bootstrap --prefix=/usr --docdir=/share/doc/cmake --mandir=/share/man --system-libs
chmod -x ChangeLog.manual
chmod -x Modules/*.cmake Modules/*.cmake.in Modules/*.cxx Modules/Platform/*
touch $@
