fix security issues in libltdl bundle within kdelibs CVE-2009-3736

2009-12-07 15:19:30 +00:00 · 2009-12-07 15:19:30 +00:00 · 70a8d1a23d
parent 1603fda542
commit 70a8d1a23d
2 changed files with 66 additions and 97 deletions
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@ -4,29 +4,20 @@

 %define distname "Fedora"

+%if 0%{?rhel}
+%define distname "EL"
+%endif
+
 %define kde_settings 1 

-%define arts 1
 %define arts_ev 8:1.5.10
-
-%if 0%{?fedora} > 8
 %define qt3 qt3
-%else
-%define qt3_epoch 1:
-%define qt3 qt
-%endif
 %define qt3_version 3.3.8b
 %define qt3_ev %{?qt3_epoch}%{qt3_version} 
-# unfortunately, this doesn't work for 3.3.8b which still identifies as 3.3.8
-#global qt3_ver %(pkg-config --modversion qt-mt 2>/dev/null || echo %{qt3_version})
-%define qt3_ver %{qt3_version}
-# fix this?... -- Rex
-%define qt3_docdir %{_docdir}/qt-devel-%{qt3_ver}
+%define qt3_docdir %{_docdir}/qt-devel-%{qt3_version}

 %define kde_major_version 3

-%define make_cvs 1
-
 %define apidocs 1

 # We always include this here now because kdeartwork 4 has moved on to
@ -36,18 +27,11 @@

 Summary: K Desktop Environment 3 - Libraries
 Version: 3.5.10
-Release: 14%{?dist}
+Release: 21%{?dist}

-%if 0%{?fedora} > 8
 Name: kdelibs3
 Obsoletes: kdelibs < 6:%{version}-%{release}
 Provides: kdelibs = 6:%{version}-%{release}
-%else
-Name: kdelibs
-Epoch: 6
-Obsoletes: kdelibs3 < %{version}-%{release}
-Provides: kdelibs3 = %{version}-%{release}
-%endif

 License: LGPLv2
 Url: http://www.kde.org/
@ -96,6 +80,7 @@ Patch101: kde-3.5-libtool-shlibext.patch
 # kget ignores simultaneous download limit (kde #101956)
 Patch103: kdelibs-3.5.0-101956.patch
 Patch104: kdelibs-3.5.10-gcc44.patch
+Patch105: kdelibs-3.5.10-ossl-1.x.patch

 ## security fixes
 # fix CVE-2009-2537 - select length DoS
@ -112,40 +97,37 @@ Patch204: kdelibs-3.5.10-cve-2009-1698.patch
 Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
 # fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
 Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
+# CVE-2009-3736, libltdl may load and execute code from a library in the current directory
+Patch207: libltdl-CVE-2009-3736.patch

-#{?arts:Requires: arts >= %{arts_ev}}
-#Requires: %{qt3} >= %{qt3_ev}
 Requires: hicolor-icon-theme
 %if %{kde_settings}
 Requires: kde-settings >= 3.5
 %endif
 Requires: kde-filesystem
-%if "%{name}" != "kdelibs"
 Requires: kdelibs-common
-%endif
 Requires: redhat-menus
 Requires: shadow-utils
 BuildRequires: sudo
 Requires(hint): sudo

-%if 0%{?fedora} > 4 || 0%{?rhel} > 4
-%define   libkdnssd libkdnssd
-# omit for now, may contribute to http://bugzilla.redhat.com/441222 
-#Requires: %{libkdnssd}
+%if 0%{?fedora}
+%define libkdnssd libkdnssd
+%endif
 %define BuildRequires: xorg-x11-proto-devel libX11-devel
 %define _with_rgbfile --with-rgbfile=%{_datadir}/X11/rgb.txt
 Requires: iceauth
-%endif

 Requires(pre): coreutils
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
+Requires: hunspell

 BuildRequires: gettext
 BuildRequires: pcre-devel
 BuildRequires: cups-devel cups
 BuildRequires: %{qt3}-devel %{qt3}-devel-docs
-%{?arts:BuildRequires: arts-devel >= %{arts_ev}}
+BuildRequires: arts-devel >= %{arts_ev}
 BuildRequires: flex >= 2.5.4a-13
 BuildRequires: doxygen
 BuildRequires: libxslt-devel
@ -167,30 +149,18 @@ BuildRequires: libart_lgpl-devel
 BuildRequires: bzip2-devel
 BuildRequires: libtiff-devel
 BuildRequires: libacl-devel libattr-devel
-%if 0%{?fedora} >= 9
 BuildRequires: enchant-devel
-Requires: hunspell
-%else
-BuildRequires: aspell-devel
-%endif
 BuildRequires: krb5-devel
 BuildRequires: openldap-devel
 BuildRequires: db4-devel
 BuildRequires: alsa-lib-devel
 BuildRequires: pkgconfig
 BuildRequires: glibc-kernheaders
-%if 0%{?fedora} > 5 || 0%{?rhel} > 4
-%define _with_libutempter 1
 BuildRequires: libutempter-devel
-%else
-BuildRequires: utempter
-%endif
 BuildRequires: findutils
 BuildRequires: jasper-devel
 BuildRequires: OpenEXR-devel
-%if %{make_cvs}
 BuildRequires: automake libtool
-%endif

 %if "%{name}" != "kdelibs" && "%{?apidocs}" != "1"
 Obsoletes: kdelibs-apidocs < 6:%{version}-%{release}
@ -215,17 +185,12 @@ kimgio (image manipulation).
 %package devel
 Group: Development/Libraries
 Summary: Header files and documentation for compiling KDE 3 applications.
-%if "%{name}" == "kdelibs"
-Obsoletes: kdelibs3-devel < %{version}-%{release}
-Provides:  kdelibs3-devel = %{version}-%{release}
-%else
 Obsoletes: kdelibs-devel < 6:%{version}-%{release}
 Provides:  kdelibs-devel = 6:%{version}-%{release}
-%endif
 Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
 Requires: %{qt3}-devel
 Requires: openssl-devel
-%{?arts:Requires: arts-devel}
+Requires: arts-devel
 %{?libkdnssd:Requires: libkdnssd-devel}
 %description devel
 This package includes the header files you will need to compile
@ -235,15 +200,9 @@ applications for KDE 3.
 Group: Development/Documentation
 Summary: KDE 3 API documentation.
 Requires: %{name} = %{?epoch:%{epoch}:}%{version}
-%if "%{name}" == "kdelibs"
-Provides: kdelibs3-apidocs = %{version}-%{release}
-%else
 Obsoletes: kdelibs-apidocs < 6:%{version}-%{release}
 Provides:  kdelibs-apidocs = 6:%{version}-%{release}
-%endif
-%if 0%{?fedora} > 9
 BuildArch: noarch
-%endif

 %description apidocs
 This package includes the KDE 3 API documentation in HTML
@ -266,26 +225,23 @@ format for easy browsing
 %patch38 -p1 -b .cupsdconf2-group
 %patch39 -p1 -b .kabc-make
 %patch40 -p1 -b .kdeprint-utf8
-%{?_with_libutempter:%patch41 -p1 -b .utempter}
+%patch41 -p1 -b .utempter
 %patch43 -p1 -b .lang
 %patch45 -p1 -b .xdg-autostart
 %patch46 -p1 -b .kate-vhdl
-%if 0%{?fedora} >= 9
 %patch48 -p1 -b .kspell
 %patch49 -p1 -b .kspell2
 %patch50 -p1 -b .no-ispell
-%endif
 %patch51 -p1 -b .cupsserverbin
 %patch52 -p1 -b .KDE3
-%if "%{name}" != "kdelibs"
 %patch53 -p1 -b .drkonqi-kde4
-%endif
 %patch54 -p1 -b .flock-redefinition
 %patch55 -p1 -b .latex-syntax

 %patch100 -p1 -b .kstandarddirs
 %patch101 -p1 -b .libtool-shlibext
 %patch104 -p1 -b .gcc44
+%patch105 -p1 -b .ossl-1.x

 # security fixes
 %patch200 -p1 -b .cve-2009-2537
@ -295,14 +251,13 @@ format for easy browsing
 %patch204 -p1 -b .cve-2009-1698
 %patch205 -p1 -b .cve-2009-2702
 %patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
+%patch207 -p1 -b .CVE-2009-3736

 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h

-%if %{make_cvs}
 # hack/fix for newer automake
-  sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
-  make -f admin/Makefile.common cvs
-%endif
+sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
+make -f admin/Makefile.common cvs


 %build
@ -337,17 +292,12 @@ export DO_NOT_COMPILE="libkscreensaver"
   --enable-sendfile \
   --with-distribution="$(cat /etc/redhat-release 2>/dev/null)" \
   --with-alsa \
-%if 0%{?fedora} >= 9
   --without-aspell \
-%else
-   --with-aspell \
-%endif
   --without-hspell \
   --disable-libfam \
   --enable-dnotify \
   --enable-inotify \
   --with-utempter \
-   %{!?arts:--without-arts} \
   %{?_with_rgbfile} \
   --with-jasper \
   --with-openexr \
@ -387,14 +337,9 @@ for i in *; do
 done
 popd

+%if 0%{?fedora} < 12 && 0%{?rhel} < 6
 install -p -m 644 -D %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/kde.sh
 install -p -m 644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/kde.csh
-
-%if "%{name}" == "kdelibs"
-# menus
-mkdir -p %{buildroot}%{_sysconfdir}/kde/xdg/menus
-mv %{buildroot}%{_sysconfdir}/xdg/menus/applications.menu \
-   %{buildroot}%{_sysconfdir}/xdg/menus/kde-applications.menu
 %endif

 # Use hicolor-icon-theme rpm/pkg instead (#178319)
@ -432,7 +377,6 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" | xargs \
 rm -f %{buildroot}%{_libdir}/libkdnssd.la
 %{?libkdnssd:rm -rf %{buildroot}{%{_libdir}/libkdnssd.*,%{_includedir}/kde/dnssd}}

-%if "%{name}" != "kdelibs"
 # remove conflicts with kdelibs-4
 rm -f %{buildroot}%{_bindir}/checkXML
 rm -f %{buildroot}%{_bindir}/ksvgtopng
@ -480,7 +424,7 @@ rm -f %{buildroot}%{_docdir}/HTML/en/common/xml.dcl
 rm -rf %{buildroot}%{_datadir}/locale/all_languages
 rm -rf %{buildroot}%{_sysconfdir}/xdg/menus/
 rm -rf %{buildroot}%{_datadir}/autostart/
-rm -r %{buildroot}%{_datadir}/config/colors/40.colors
+rm -f %{buildroot}%{_datadir}/config/colors/40.colors
 rm -f %{buildroot}%{_datadir}/config/colors/Rainbow.colors
 rm -f %{buildroot}%{_datadir}/config/colors/Royal.colors
 rm -f %{buildroot}%{_datadir}/config/colors/Web.colors
@ -490,8 +434,6 @@ rm -f %{buildroot}%{_bindir}/preparetips
 # don't show kresources
 sed -i -e "s,^OnlyShowIn=KDE;,OnlyShowIn=KDE3;," %{buildroot}%{_datadir}/applications/kde/kresources.desktop 

-%endif
-
 %if 0%{?include_crystalsvg} == 0
 # remove all crystalsvg icons for now
 rm -rf %{buildroot}%{_datadir}/icons/crystalsvg/
@ -534,7 +476,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
 %defattr(-,root,root,-)
 %doc README
 %doc COPYING.LIB
+%if 0%{?fedora} < 12 && 0%{?rhel} < 6
 %config(noreplace) %{_sysconfdir}/profile.d/*
+%endif
 %{_bindir}/artsmessage
 %{_bindir}/cupsdconf
 %{_bindir}/cupsdoprint
@ -606,28 +550,13 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
 %{_datadir}/servicetypes/*
 %ghost %{_datadir}/services/ksycoca
 %{_docdir}/HTML/en/kspell
-%if "%{name}" == "kdelibs"
-%{_sysconfdir}/xdg/menus/*.menu
-%{_datadir}/autostart/*
-# include also the conflicting file in kdelibs fedora < 9
-%{_docdir}/HTML/en/common
-%{_datadir}/locale/all_languages
-%else
 %{_docdir}/HTML/en/common/*
-%endif
 %if 0%{?include_crystalsvg}
 %{_datadir}/icons/crystalsvg/
 %endif

 %files devel
 %defattr(-,root,root,-)
-# include also the conflicting file in kdelibs-devel fedora < 9
-%if "%{name}" == "kdelibs"
-%{_bindir}/checkXML
-%{_bindir}/ksvgtopng
-%{_bindir}/kunittestmodrunner
-%{_bindir}/preparetips
-%endif
 %{_bindir}/dcopidl*
 %{_bindir}/kconfig_compiler
 %{_bindir}/makekdewidgets
@ -646,12 +575,30 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :


 %changelog
-* Mon Nov  2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 3.5.10-14
+* Mon Dec 07 2009 Than Ngo <than@redhat.com> - 3.5.10-21
+- fix security issues in libltdl bundle within kdelibs CVE-2009-3736
+
+* Mon Nov  2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 3.5.10-20
 - fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428

-* Sun Sep 06 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-13.1
+* Mon Sep 28 2009 Rex Dieter <rdieter@fedoraproject.org> - 3.5.10-19
+- Conflicts with kde-settings (#526109)
+
+* Mon Sep 28 2009 Than Ngo <than@redhat.com> - 3.5.10-18
+- rhel cleanup
+
+* Wed Sep 23 2009 Rex Dieter <rdieter@fedoraproject.org> - 3.5.10-17 
+- move /etc/profile.d/kde.(sh|csh) to kde-settings (F-12+)
+
+* Fri Sep 04 2009 Than Ngo <than@redhat.com> - 3.5.10-16
+- openssl-1.0 build fixes
+
+* Fri Sep 04 2009 Than Ngo <than@redhat.com> - 3.5.10-15
 - fix for CVE-2009-2702

+* Thu Sep 03 2009 Rex Dieter <rdieter@fedoraproject.org> - 3.5.10-14
+- kde.(sh|csh): drop KDE_IS_PRELINKED (workaround bug #515539)
+
 * Sun Jul 26 2009 Kevin Kofler <Kevin@tigcc.ticalc.org> - 3.5.10-13
 - fix CVE-2009-2537 - select length DoS
 - fix CVE-2009-1725 - crash, possible ACE in numeric character references
--- a/libltdl-CVE-2009-3736.patch
+++ b/libltdl-CVE-2009-3736.patch
@ -0,0 +1,22 @@
+diff -ur arts-orig/libltdl/ltdl.c arts-1.1.3/libltdl/ltdl.c
+--- arts-orig/libltdl/ltdl.c	2003-07-13 21:33:39.000000000 +0200
+++ arts-1.1.3/libltdl/ltdl.c	2009-11-19 16:09:29.000000000 +0100
+@@ -1544,7 +1544,8 @@
+   /* try to open the old library first; if it was dlpreopened,
+      we want the preopened version of it, even if a dlopenable
+      module is available */
+-  if (old_name && tryall_dlopen(handle, old_name) == 0)
+  if (old_name && tryall_dlopen(handle, old_name,
+                                advise, lt_dlloader_find ("lt_preopen") ) == 0)
+     {
+       return 0;
+     }
+@@ -2158,7 +2159,7 @@
+ 	  }
+ #endif
+       }
+-    if (!file)
+    else
+       {
+ 	file = fopen (filename, LT_READTEXT_MODE);
+       }