diff options
| author | Karsten Hopp <karsten@fedoraproject.org> | 2009-12-02 11:34:09 +0000 |
|---|---|---|
| committer | Karsten Hopp <karsten@fedoraproject.org> | 2009-12-02 11:34:09 +0000 |
| commit | 0441a2a8d01481a79fa807d6ea4fad7d2de1e0bf (patch) | |
| tree | 02d09c6dbe3740712e6000756e01286ef8cdc342 | |
| parent | 2821ffac4887c36815f13d555908b1a5dac4143b (diff) | |
- update to 2.2.6b, fixes CVE-2009-3736: libltdl may load and execute codelibtool-2_2_6-11_fc11_2
from a library in the current directory
| -rw-r--r-- | .cvsignore | 2 | ||||
| -rw-r--r-- | libtool-1.5.24-relativepath.patch | 14 | ||||
| -rw-r--r-- | libtool.spec | 12 | ||||
| -rw-r--r-- | sources | 2 |
4 files changed, 10 insertions, 20 deletions
@@ -1 +1 @@ -libtool-2.2.6a.tar.gz +libtool-2.2.6b.tar.gz diff --git a/libtool-1.5.24-relativepath.patch b/libtool-1.5.24-relativepath.patch deleted file mode 100644 index 1549b2f..0000000 --- a/libtool-1.5.24-relativepath.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up libtool-1.5.24/libltdl/ltdl.c.relativepath libtool-1.5.24/libltdl/ltdl.c ---- libtool-1.5.24/libltdl/ltdl.c.relativepath 2007-06-01 07:04:54.000000000 +0200 -+++ libtool-1.5.24/libltdl/ltdl.c 2007-07-24 12:56:22.000000000 +0200 -@@ -3225,7 +3225,9 @@ try_dlopen (phandle, filename) - } - if (!file) - { -- file = fopen (filename, LT_READTEXT_MODE); -+ /* don't open .la files in current directory, root might get tricked to run a binary in a prepared directory */ -+ if(!strncmp((filename + strlen(filename) - 3), LTDL_ARCHIVE_EXT,3) || strstr(filename,"/")) -+ file = fopen (filename, LT_READTEXT_MODE); - } - - /* If we didn't find the file by now, it really isn't there. Set diff --git a/libtool.spec b/libtool.spec index cf92d50..33a6182 100644 --- a/libtool.spec +++ b/libtool.spec @@ -1,12 +1,12 @@ -%define gcc_version 4.4.1 +%define gcc_version 4.4.0 Summary: The GNU Portable Library Tool Name: libtool Version: 2.2.6 -Release: 11%{?dist}.1 +Release: 11%{?dist}.2 License: GPLv2+ and LGPLv2+ and GFDL Group: Development/Tools -Source: http://ftp.gnu.org/gnu/libtool/libtool-%{version}a.tar.gz +Source: http://ftp.gnu.org/gnu/libtool/libtool-%{version}b.tar.gz Patch0: libtool-2.2.6a-rpath.patch URL: http://www.gnu.org/software/libtool/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u} -n) @@ -67,7 +67,7 @@ Static libraries and header files for development with ltdl. %prep -%setup -n libtool-%{version} -q +%setup -n libtool-%{version}b -q %patch0 -p1 -b .rpath %build @@ -142,6 +142,10 @@ fi %changelog +* Wed Dec 02 2009 Karsten Hopp <karsten@redhat.com> 2.2.6-11.2 +- update to 2.2.6b, fixes CVE-2009-3736: + libltdl may load and execute code from a library in the current directory + * Thu Jul 30 2009 Jakub Jelinek <jakub@redhat.com> 2.2.6-11.fc11.1 - rebuilt against gcc-4.4.1 @@ -1 +1 @@ -8ca1ea241cd27ff9832e045fe9afe4fd libtool-2.2.6a.tar.gz +07da460450490148c6d2df0f21481a25 libtool-2.2.6b.tar.gz |