From 70a8d1a23dcf6b656f5432bdba956944c8584ee3 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Mon, 7 Dec 2009 15:19:30 +0000 Subject: [PATCH] fix security issues in libltdl bundle within kdelibs CVE-2009-3736 --- kdelibs3.spec | 141 +++++++++++------------------------- libltdl-CVE-2009-3736.patch | 22 ++++++ 2 files changed, 66 insertions(+), 97 deletions(-) create mode 100644 libltdl-CVE-2009-3736.patch diff --git a/kdelibs3.spec b/kdelibs3.spec index 9d19a2b..0801e41 100644 --- a/kdelibs3.spec +++ b/kdelibs3.spec @@ -4,29 +4,20 @@ %define distname "Fedora" +%if 0%{?rhel} +%define distname "EL" +%endif + %define kde_settings 1 -%define arts 1 %define arts_ev 8:1.5.10 - -%if 0%{?fedora} > 8 %define qt3 qt3 -%else -%define qt3_epoch 1: -%define qt3 qt -%endif %define qt3_version 3.3.8b %define qt3_ev %{?qt3_epoch}%{qt3_version} -# unfortunately, this doesn't work for 3.3.8b which still identifies as 3.3.8 -#global qt3_ver %(pkg-config --modversion qt-mt 2>/dev/null || echo %{qt3_version}) -%define qt3_ver %{qt3_version} -# fix this?... -- Rex -%define qt3_docdir %{_docdir}/qt-devel-%{qt3_ver} +%define qt3_docdir %{_docdir}/qt-devel-%{qt3_version} %define kde_major_version 3 -%define make_cvs 1 - %define apidocs 1 # We always include this here now because kdeartwork 4 has moved on to @@ -36,18 +27,11 @@ Summary: K Desktop Environment 3 - Libraries Version: 3.5.10 -Release: 14%{?dist} +Release: 21%{?dist} -%if 0%{?fedora} > 8 Name: kdelibs3 Obsoletes: kdelibs < 6:%{version}-%{release} Provides: kdelibs = 6:%{version}-%{release} -%else -Name: kdelibs -Epoch: 6 -Obsoletes: kdelibs3 < %{version}-%{release} -Provides: kdelibs3 = %{version}-%{release} -%endif License: LGPLv2 Url: http://www.kde.org/ @@ -96,6 +80,7 @@ Patch101: kde-3.5-libtool-shlibext.patch # kget ignores simultaneous download limit (kde #101956) Patch103: kdelibs-3.5.0-101956.patch Patch104: kdelibs-3.5.10-gcc44.patch +Patch105: kdelibs-3.5.10-ossl-1.x.patch ## security fixes # fix CVE-2009-2537 - select length DoS @@ -112,40 +97,37 @@ Patch204: kdelibs-3.5.10-cve-2009-1698.patch Patch205: kdelibs-3.5.10-CVE-2009-2702.patch # fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch +# CVE-2009-3736, libltdl may load and execute code from a library in the current directory +Patch207: libltdl-CVE-2009-3736.patch -#{?arts:Requires: arts >= %{arts_ev}} -#Requires: %{qt3} >= %{qt3_ev} Requires: hicolor-icon-theme %if %{kde_settings} Requires: kde-settings >= 3.5 %endif Requires: kde-filesystem -%if "%{name}" != "kdelibs" Requires: kdelibs-common -%endif Requires: redhat-menus Requires: shadow-utils BuildRequires: sudo Requires(hint): sudo -%if 0%{?fedora} > 4 || 0%{?rhel} > 4 -%define libkdnssd libkdnssd -# omit for now, may contribute to http://bugzilla.redhat.com/441222 -#Requires: %{libkdnssd} +%if 0%{?fedora} +%define libkdnssd libkdnssd +%endif %define BuildRequires: xorg-x11-proto-devel libX11-devel %define _with_rgbfile --with-rgbfile=%{_datadir}/X11/rgb.txt Requires: iceauth -%endif Requires(pre): coreutils Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Requires: hunspell BuildRequires: gettext BuildRequires: pcre-devel BuildRequires: cups-devel cups BuildRequires: %{qt3}-devel %{qt3}-devel-docs -%{?arts:BuildRequires: arts-devel >= %{arts_ev}} +BuildRequires: arts-devel >= %{arts_ev} BuildRequires: flex >= 2.5.4a-13 BuildRequires: doxygen BuildRequires: libxslt-devel @@ -167,30 +149,18 @@ BuildRequires: libart_lgpl-devel BuildRequires: bzip2-devel BuildRequires: libtiff-devel BuildRequires: libacl-devel libattr-devel -%if 0%{?fedora} >= 9 BuildRequires: enchant-devel -Requires: hunspell -%else -BuildRequires: aspell-devel -%endif BuildRequires: krb5-devel BuildRequires: openldap-devel BuildRequires: db4-devel BuildRequires: alsa-lib-devel BuildRequires: pkgconfig BuildRequires: glibc-kernheaders -%if 0%{?fedora} > 5 || 0%{?rhel} > 4 -%define _with_libutempter 1 BuildRequires: libutempter-devel -%else -BuildRequires: utempter -%endif BuildRequires: findutils BuildRequires: jasper-devel BuildRequires: OpenEXR-devel -%if %{make_cvs} BuildRequires: automake libtool -%endif %if "%{name}" != "kdelibs" && "%{?apidocs}" != "1" Obsoletes: kdelibs-apidocs < 6:%{version}-%{release} @@ -215,17 +185,12 @@ kimgio (image manipulation). %package devel Group: Development/Libraries Summary: Header files and documentation for compiling KDE 3 applications. -%if "%{name}" == "kdelibs" -Obsoletes: kdelibs3-devel < %{version}-%{release} -Provides: kdelibs3-devel = %{version}-%{release} -%else Obsoletes: kdelibs-devel < 6:%{version}-%{release} Provides: kdelibs-devel = 6:%{version}-%{release} -%endif Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Requires: %{qt3}-devel Requires: openssl-devel -%{?arts:Requires: arts-devel} +Requires: arts-devel %{?libkdnssd:Requires: libkdnssd-devel} %description devel This package includes the header files you will need to compile @@ -235,15 +200,9 @@ applications for KDE 3. Group: Development/Documentation Summary: KDE 3 API documentation. Requires: %{name} = %{?epoch:%{epoch}:}%{version} -%if "%{name}" == "kdelibs" -Provides: kdelibs3-apidocs = %{version}-%{release} -%else Obsoletes: kdelibs-apidocs < 6:%{version}-%{release} Provides: kdelibs-apidocs = 6:%{version}-%{release} -%endif -%if 0%{?fedora} > 9 BuildArch: noarch -%endif %description apidocs This package includes the KDE 3 API documentation in HTML @@ -266,26 +225,23 @@ format for easy browsing %patch38 -p1 -b .cupsdconf2-group %patch39 -p1 -b .kabc-make %patch40 -p1 -b .kdeprint-utf8 -%{?_with_libutempter:%patch41 -p1 -b .utempter} +%patch41 -p1 -b .utempter %patch43 -p1 -b .lang %patch45 -p1 -b .xdg-autostart %patch46 -p1 -b .kate-vhdl -%if 0%{?fedora} >= 9 %patch48 -p1 -b .kspell %patch49 -p1 -b .kspell2 %patch50 -p1 -b .no-ispell -%endif %patch51 -p1 -b .cupsserverbin %patch52 -p1 -b .KDE3 -%if "%{name}" != "kdelibs" %patch53 -p1 -b .drkonqi-kde4 -%endif %patch54 -p1 -b .flock-redefinition %patch55 -p1 -b .latex-syntax %patch100 -p1 -b .kstandarddirs %patch101 -p1 -b .libtool-shlibext %patch104 -p1 -b .gcc44 +%patch105 -p1 -b .ossl-1.x # security fixes %patch200 -p1 -b .cve-2009-2537 @@ -295,14 +251,13 @@ format for easy browsing %patch204 -p1 -b .cve-2009-1698 %patch205 -p1 -b .cve-2009-2702 %patch206 -p0 -b .oCERT-2009-015-xmlhttprequest +%patch207 -p1 -b .CVE-2009-3736 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h -%if %{make_cvs} # hack/fix for newer automake - sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh - make -f admin/Makefile.common cvs -%endif +sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh +make -f admin/Makefile.common cvs %build @@ -337,17 +292,12 @@ export DO_NOT_COMPILE="libkscreensaver" --enable-sendfile \ --with-distribution="$(cat /etc/redhat-release 2>/dev/null)" \ --with-alsa \ -%if 0%{?fedora} >= 9 --without-aspell \ -%else - --with-aspell \ -%endif --without-hspell \ --disable-libfam \ --enable-dnotify \ --enable-inotify \ --with-utempter \ - %{!?arts:--without-arts} \ %{?_with_rgbfile} \ --with-jasper \ --with-openexr \ @@ -387,14 +337,9 @@ for i in *; do done popd +%if 0%{?fedora} < 12 && 0%{?rhel} < 6 install -p -m 644 -D %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/kde.sh install -p -m 644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/kde.csh - -%if "%{name}" == "kdelibs" -# menus -mkdir -p %{buildroot}%{_sysconfdir}/kde/xdg/menus -mv %{buildroot}%{_sysconfdir}/xdg/menus/applications.menu \ - %{buildroot}%{_sysconfdir}/xdg/menus/kde-applications.menu %endif # Use hicolor-icon-theme rpm/pkg instead (#178319) @@ -432,7 +377,6 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" | xargs \ rm -f %{buildroot}%{_libdir}/libkdnssd.la %{?libkdnssd:rm -rf %{buildroot}{%{_libdir}/libkdnssd.*,%{_includedir}/kde/dnssd}} -%if "%{name}" != "kdelibs" # remove conflicts with kdelibs-4 rm -f %{buildroot}%{_bindir}/checkXML rm -f %{buildroot}%{_bindir}/ksvgtopng @@ -480,7 +424,7 @@ rm -f %{buildroot}%{_docdir}/HTML/en/common/xml.dcl rm -rf %{buildroot}%{_datadir}/locale/all_languages rm -rf %{buildroot}%{_sysconfdir}/xdg/menus/ rm -rf %{buildroot}%{_datadir}/autostart/ -rm -r %{buildroot}%{_datadir}/config/colors/40.colors +rm -f %{buildroot}%{_datadir}/config/colors/40.colors rm -f %{buildroot}%{_datadir}/config/colors/Rainbow.colors rm -f %{buildroot}%{_datadir}/config/colors/Royal.colors rm -f %{buildroot}%{_datadir}/config/colors/Web.colors @@ -490,8 +434,6 @@ rm -f %{buildroot}%{_bindir}/preparetips # don't show kresources sed -i -e "s,^OnlyShowIn=KDE;,OnlyShowIn=KDE3;," %{buildroot}%{_datadir}/applications/kde/kresources.desktop -%endif - %if 0%{?include_crystalsvg} == 0 # remove all crystalsvg icons for now rm -rf %{buildroot}%{_datadir}/icons/crystalsvg/ @@ -534,7 +476,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %defattr(-,root,root,-) %doc README %doc COPYING.LIB +%if 0%{?fedora} < 12 && 0%{?rhel} < 6 %config(noreplace) %{_sysconfdir}/profile.d/* +%endif %{_bindir}/artsmessage %{_bindir}/cupsdconf %{_bindir}/cupsdoprint @@ -606,28 +550,13 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %{_datadir}/servicetypes/* %ghost %{_datadir}/services/ksycoca %{_docdir}/HTML/en/kspell -%if "%{name}" == "kdelibs" -%{_sysconfdir}/xdg/menus/*.menu -%{_datadir}/autostart/* -# include also the conflicting file in kdelibs fedora < 9 -%{_docdir}/HTML/en/common -%{_datadir}/locale/all_languages -%else %{_docdir}/HTML/en/common/* -%endif %if 0%{?include_crystalsvg} %{_datadir}/icons/crystalsvg/ %endif %files devel %defattr(-,root,root,-) -# include also the conflicting file in kdelibs-devel fedora < 9 -%if "%{name}" == "kdelibs" -%{_bindir}/checkXML -%{_bindir}/ksvgtopng -%{_bindir}/kunittestmodrunner -%{_bindir}/preparetips -%endif %{_bindir}/dcopidl* %{_bindir}/kconfig_compiler %{_bindir}/makekdewidgets @@ -646,12 +575,30 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || : %changelog -* Mon Nov 2 2009 Lukáš Tinkl - 3.5.10-14 +* Mon Dec 07 2009 Than Ngo - 3.5.10-21 +- fix security issues in libltdl bundle within kdelibs CVE-2009-3736 + +* Mon Nov 2 2009 Lukáš Tinkl - 3.5.10-20 - fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428 -* Sun Sep 06 2009 Kevin Kofler - 3.5.10-13.1 +* Mon Sep 28 2009 Rex Dieter - 3.5.10-19 +- Conflicts with kde-settings (#526109) + +* Mon Sep 28 2009 Than Ngo - 3.5.10-18 +- rhel cleanup + +* Wed Sep 23 2009 Rex Dieter - 3.5.10-17 +- move /etc/profile.d/kde.(sh|csh) to kde-settings (F-12+) + +* Fri Sep 04 2009 Than Ngo - 3.5.10-16 +- openssl-1.0 build fixes + +* Fri Sep 04 2009 Than Ngo - 3.5.10-15 - fix for CVE-2009-2702 +* Thu Sep 03 2009 Rex Dieter - 3.5.10-14 +- kde.(sh|csh): drop KDE_IS_PRELINKED (workaround bug #515539) + * Sun Jul 26 2009 Kevin Kofler - 3.5.10-13 - fix CVE-2009-2537 - select length DoS - fix CVE-2009-1725 - crash, possible ACE in numeric character references diff --git a/libltdl-CVE-2009-3736.patch b/libltdl-CVE-2009-3736.patch new file mode 100644 index 0000000..d49c117 --- /dev/null +++ b/libltdl-CVE-2009-3736.patch @@ -0,0 +1,22 @@ +diff -ur arts-orig/libltdl/ltdl.c arts-1.1.3/libltdl/ltdl.c +--- arts-orig/libltdl/ltdl.c 2003-07-13 21:33:39.000000000 +0200 ++++ arts-1.1.3/libltdl/ltdl.c 2009-11-19 16:09:29.000000000 +0100 +@@ -1544,7 +1544,8 @@ + /* try to open the old library first; if it was dlpreopened, + we want the preopened version of it, even if a dlopenable + module is available */ +- if (old_name && tryall_dlopen(handle, old_name) == 0) ++ if (old_name && tryall_dlopen(handle, old_name, ++ advise, lt_dlloader_find ("lt_preopen") ) == 0) + { + return 0; + } +@@ -2158,7 +2159,7 @@ + } + #endif + } +- if (!file) ++ else + { + file = fopen (filename, LT_READTEXT_MODE); + }