tags 559815 + patch
thanks
Hoi p2,
I have prepared an NMU for hercules (version 3.06-1.2) to use
the system libtool/libltdl instead of its own bundled version,
according to Policy §4.13, thus fixing CVE-2009-3736.
I’ll have it uploaded to DELAYED/2 according to devref §5.11,
patch is attached.
You might want to have a look at all these gcc warnings about
array accesses being below/above array bounds, though. There
may be more security issues hiding.
Groeten,
//mirabilos
--
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font. -- Rob Pike in "Notes on Programming in C"
diff -u hercules-3.06/debian/control hercules-3.06/debian/control
--- hercules-3.06/debian/control
+++ hercules-3.06/debian/control
@@ -7,7 +7,12 @@
zlib1g-dev,
libbz2-dev,
libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
+ libltdl-dev,
+ libtool,
+ autoconf (>= 2.61~),
+ automake1.9,
autotools-dev
+Build-Conflicts: autoconf2.13, automake1.4
Standards-Version: 3.6.2
Package: hercules
diff -u hercules-3.06/debian/changelog hercules-3.06/debian/changelog
--- hercules-3.06/debian/changelog
+++ hercules-3.06/debian/changelog
@@ -1,3 +1,11 @@
+hercules (3.06-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Use autoreconf in order to use system libltdl instead of the bundled
+ one (upgrading from 1.x to 2.2). (Closes: #559815) (CVE-2009-3736)
+
+ -- Thorsten Glaser <t...@mirbsd.de> Sun, 24 Jan 2010 00:44:52 +0000
+
hercules (3.06-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -u hercules-3.06/debian/rules hercules-3.06/debian/rules
--- hercules-3.06/debian/rules
+++ hercules-3.06/debian/rules
@@ -42,11 +42,13 @@
CONFIGURE_ARGS += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
endif
+CONFIGURE_ARGS+= --without-included-ltdl
+
configure: configure-stamp
configure-stamp:
dh_testdir
- ln -nsf /usr/share/misc/config.guess autoconf/config.guess
- ln -nsf /usr/share/misc/config.sub autoconf/config.sub
+
+ autoreconf -fvi -Im4 -Iautoconf
./configure $(CONFIGURE_ARGS)
@@ -72,7 +74,12 @@
# Add here commands to clean up after the build process.
if test -f Makefile; then $(MAKE) distclean; fi
rm -f hercules.1
- rm -f autoconf/config.guess autoconf/config.sub
+ rm -f ltdl.c ltdl.h Makefile.in */Makefile.in autoconf/config.guess \
+ autoconf/config.sub autoconf/depcomp autoconf/install-sh \
+ autoconf/ltmain.sh autoconf/missing autoconf/mkinstalldirs \
+ m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 \
+ m4/'lt~obsolete.m4' aclocal.m4 config.h.in config.log \
+ configure
dh_clean
only in patch2:
unchanged:
--- hercules-3.06.orig/configure.ac
+++ hercules-3.06/configure.ac
@@ -116,151 +116,8 @@
AC_SUBST(modexecdir)
-# -----------------------------------------------------------------------------
-#
-# AC_LIBTOOL_DLOPEN
-#
-# Enable checking for dlopen support. This macro should be used if the
-# package makes use of the '-dlopen' and '-dlpreopen' flags, otherwise
-# libtool will assume that the system does not support dlopening. The
-# macro must be called before AC_PROG_LIBTOOL.
-#
-# -----------------------------------------------------------------------------
-
-AC_LIBTOOL_DLOPEN() # (we need libtool's dlopen support)
-
-
-# -----------------------------------------------------------------------------
-#
-# AC_LIBTOOL_WIN32_DLL
-#
-# This macro should be used if the package has been ported to build
-# clean dlls on win32 platforms. Usually this means that any library
-# data items are exported with __declspec(dllexport) and imported with
-# __declspec(dllimport). If this macro is not used, libtool will assume
-# that the package libraries are not dll clean and will build only static
-# libraries on win32 hosts.
-#
-# This macro must be called before AC_PROG_LIBTOOL, and provision must
-# be made to pass '-no-undefined' to libtool in link mode from the
package
-# Makefile. Naturally, if you pass '-no-undefined', you must ensure that
-# all the library symbols really are defined at link time!
-#
-# -----------------------------------------------------------------------------
-
-AC_LIBTOOL_WIN32_DLL() # (we need Win32 support in libtool)
-
-
-# -----------------------------------------------------------------------------
-# See: 'AC_PROG_LIBTOOL' below.
-# -----------------------------------------------------------------------------
-
-AC_DISABLE_STATIC() # (forces libtool to build shared
-
- # libraries instead of static ones)
-# -----------------------------------------------------------------------------
-# AC_PROG_LIBTOOL
-#
-# Add support for the '--enable-shared' and '--disable-shared'
-# configure flags. By default, this macro turns on shared libraries
-# if they are available, and also enables static libraries if they
-# don't conflict with the shared libraries. You can modify these
-# defaults by calling either the AC_DISABLE_SHARED or AC_DISABLE_STATIC
-# macros.
-#
-# Hercules REQUIRES shared libraries (i.e. DLLs), so we do indeed use
-# the AC_DISABLE_STATIC macro above.
-#
-# -----------------------------------------------------------------------------
-
-AC_PROG_LIBTOOL() # (we build libtool for ourselves)
-
-
-# -----------------------------------------------------------------------------
-#
-# AC_LIB_LTDL
-#
-# Even though libltdl is installed together with libtool, you may wish
-# to include libltdl in the distribution of your package, for the
convenience
-# of users of your package that don't have libtool or libltdl installed.
-#
-# The most simplistic way to add libltdl to your package is to copy the
-# source files, 'ltdl.c' and 'ltdl.h', to a source directory withing your
-# package and to build and link them along with the rest of your sources.
-#
-# To do this, you must add a call to the 'AC_LIB_LTDL' macro to your
package's
-# 'configure.in' to perform the required configure time checks in order
that
-# 'ltdl.o' is built correctly.
-#
-# This method does have its problems though: if you try to link the
package
-# binaries with an installed libltdl, or a library which depends on
libltdl,
-# you may have problems with duplicate symbol definitions.
-#
-# In order to enable this flavor of libltdl, you should add the line
-# 'AC_LIBLTDL_CONVENIENCE' to your `configure.in', before
'AC_PROG_LIBTOOL'.
-#
-# In order to select the installable version of libltdl, you should add a
-# call of the macro 'AC_LIBLTDL_INSTALLABLE' to your 'configure.in'
before
-# 'AC_PROG_LIBTOOL'. This macro will check whether libltdl is already
-# installed and, if not, request the libltdl embedded in your package to
be
-# built and installed.
-#
-# Whatever macro you use, it is up to you to ensure that your
'configure.in'
-# will configure libltdl, using 'AC_CONFIG_SUBDIRS', and that your
'Makefile's
-# will start sub-makes within libltdl's directory, using automake's
SUBDIRS,
-# for example. Both macros define the shell variables LIBLTDL, to the
link flag
-# that you should use to link with libltdl, and LTDLINCL, to the
preprocessor
-# flag that you should use to compile with programs that include
'ltdl.h'. It
-# is up to you to use 'AC_SUBST' to ensure that this variable will be
available
-# in 'Makefile's, or add them to variables that are 'AC_SUBST'ed by
default,
-# such as LIBS and CPPFLAGS.
-#
-# So, when you want to link a program with libltdl, be it a convenience,
-# installed or installable library, just compile with '$(LTDLINCL)' and
link
-# it with '$(LIBLTDL)', using libtool.
-#
-# You should probably also add 'AC_LIBTOOL_DLOPEN' to your
'configure.in' before
-# 'AC_PROG_LIBTOOL', otherwise libtool will assume no dlopening
mechanism is
-# supported, and revert to dlpreopening, which is probably not what you
want.
-#
-# The following example shows you how to embed the convenience libltdl
-# in your package. In order to use the installable variant just replace
-# 'AC_LIBLTDL_CONVENIENCE' with 'AC_LIBLTDL_INSTALLABLE'. We assume that
libltdl
-# was embedded using 'libtoolize --ltdl':
-#
-# configure.in:
-#
-# ...
-# dnl Enable building of the convenience library
-# dnl and set LIBLTDL accordingly
-# AC_LIBLTDL_CONVENIENCE
-# dnl Substitute LTDLINCL and LIBLTDL in the Makefiles
-# AC_SUBST(LTDLINCL)
-# AC_SUBST(LIBLTDL)
-# dnl Check for dlopen support
-# AC_LIBTOOL_DLOPEN
-# dnl Configure libtool
-# AC_PROG_LIBTOOL
-# dnl Configure libltdl
-# AC_CONFIG_SUBDIRS(libltdl)
-# ...
-#
-# Makefile.am:
-#
-# ...
-# SUBDIRS = libltdl
-#
-# INCLUDES = $(LTDLINCL)
-#
-# myprog_LDFLAGS = -export-dynamic
-# # The quotes around -dlopen below fool automake <= 1.4 into
accepting it
-# myprog_LDADD = $(LIBLTDL) "-dlopen" self "-dlopen" foo1.la
-# myprog_DEPENDENCIES = $(LIBLTDL) foo1.la
-# ...
-#
-# -----------------------------------------------------------------------------
-
-AC_LIB_LTDL() # (we need the ltdl libtool library)
+LT_INIT([dlopen win32-dll disable-static])
+LTDL_INIT([])
AC_SUBST([LIBTOOL_DEPS]) # (see PROGRAMMING NOTE above)
only in patch2:
unchanged:
--- hercules-3.06.orig/Makefile.am
+++ hercules-3.06/Makefile.am
@@ -171,7 +171,7 @@
if OPTION_DYNAMIC_LOAD
DYNSRC =
- LTDL = ltdl.c
+ LTDL =
DYNMOD_LD_FLAGS = -module \
-no-undefined \
@@ -440,8 +440,7 @@
memrchr.c \
$(dynamic_SRC) \
$(extra_SRC) \
- $(dyndev_SRC) \
- ltdl.c
+ $(dyndev_SRC)
libherc_la_LDFLAGS = $(LIB_LD_FLAGS)
@@ -450,6 +449,7 @@
libherct.la \
libhercd.la \
decNumber/libdecNumber.la \
+ -lltdl \
$(LDADD)
#
@@ -728,7 +728,6 @@
hdl.h \
crypto.h \
sockdev.h \
- ltdl.h \
herc_getopt.h \
service.h \
chsc.h \
only in patch2:
unchanged:
--- hercules-3.06.orig/autoconf/hercules.m4
+++ hercules-3.06/autoconf/hercules.m4
@@ -210,6 +210,7 @@
AC_DEFUN([_HC_CHECK_NEED_GETOPT_WRAPPER],
[
AC_REQUIRE([AC_PROG_LIBTOOL])
+ LT_OUTPUT
AC_MSG_CHECKING([whether getopt wrapper kludge is necessary])
if test "$1" != "auto"; then
only in patch2:
unchanged:
--- hercules-3.06.orig/crypto/Makefile.am
+++ hercules-3.06/crypto/Makefile.am
@@ -26,7 +26,7 @@
if OPTION_DYNAMIC_LOAD
DYNSRC =
- LTDL = ../ltdl.c
+ LTDL =
DYNMOD_LD_FLAGS = -module \
-no-undefined \
only in patch2:
unchanged:
--- hercules-3.06.orig/decNumber/Makefile.am
+++ hercules-3.06/decNumber/Makefile.am
@@ -40,7 +40,7 @@
endif
if OPTION_DYNAMIC_LOAD
- LTDL = ../ltdl.c
+ LTDL =
LIB_LD_FLAGS = -export-dynamic \
$(XSTATIC) \
-no-undefined \
