dist-git conversion

library in the current directory

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libtool
-# $Id: Makefile,v 1.1 2004/09/09 07:44:21 cvsdist Exp $
-NAME := libtool
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

libtool-1.5.22-CVE-2009-3736.patch

@@ -0,0 +1,91 @@
+diff -urN libtool-1.5.26.orig/libltdl/ltdl.c libtool-1.5.26/libltdl/ltdl.c
+--- libtool-1.5.26.orig/libltdl/ltdl.c	2007-11-15 13:36:41.000000000 -0600
++++ libtool-1.5.26/libltdl/ltdl.c	2009-11-15 21:13:37.000000000 -0600
+@@ -2192,7 +2192,8 @@
+ static	int	try_dlopen	      LT_PARAMS((lt_dlhandle *handle,
+ 						 const char *filename));
+ static	int	tryall_dlopen	      LT_PARAMS((lt_dlhandle *handle,
+-						 const char *filename));
++						 const char *filename,
++						 const char * useloader));
+ static	int	unload_deplibs	      LT_PARAMS((lt_dlhandle handle));
+ static	int	lt_argz_insert	      LT_PARAMS((char **pargz,
+ 						 size_t *pargz_len,
+@@ -2390,9 +2391,10 @@
+ }
+ 
+ static int
+-tryall_dlopen (handle, filename)
++tryall_dlopen (handle, filename, useloader)
+      lt_dlhandle *handle;
+      const char *filename;
++     const char *useloader;
+ {
+   lt_dlhandle	 cur;
+   lt_dlloader   *loader;
+@@ -2459,6 +2461,11 @@
+ 
+   while (loader)
+     {
++      if (useloader && strcmp(loader->loader_name, useloader))
++	{
++	  loader = loader->next;
++	  continue;
++	}
+       lt_user_data data = loader->dlloader_data;
+ 
+       cur->module = loader->module_open (data, filename);
+@@ -2528,7 +2535,7 @@
+       error += tryall_dlopen_module (handle,
+ 				     (const char *) 0, prefix, filename);
+     }
+-  else if (tryall_dlopen (handle, filename) != 0)
++  else if (tryall_dlopen (handle, filename, NULL) != 0)
+     {
+       ++error;
+     }
+@@ -2549,7 +2556,7 @@
+   /* Try to open the old library first; if it was dlpreopened,
+      we want the preopened version of it, even if a dlopenable
+      module is available.  */
+-  if (old_name && tryall_dlopen (handle, old_name) == 0)
++  if (old_name && tryall_dlopen (handle, old_name, "dlpreload") == 0)
+     {
+       return 0;
+     }
+@@ -2813,7 +2820,7 @@
+ 
+   /* Try to dlopen the file, but do not continue searching in any
+      case.  */
+-  if (tryall_dlopen (handle, filename) != 0)
++  if (tryall_dlopen (handle, filename,NULL) != 0)
+     *handle = 0;
+ 
+   return 1;
+@@ -3103,7 +3110,7 @@
+       /* lt_dlclose()ing yourself is very bad!  Disallow it.  */
+       LT_DLSET_FLAG (*phandle, LT_DLRESIDENT_FLAG);
+ 
+-      if (tryall_dlopen (&newhandle, 0) != 0)
++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
+ 	{
+ 	  LT_DLFREE (*phandle);
+ 	  return 1;
+@@ -3225,7 +3232,7 @@
+ 	    }
+ #endif
+ 	}
+-      if (!file)
++      else
+ 	{
+ 	  file = fopen (filename, LT_READTEXT_MODE);
+ 	}
+@@ -3412,7 +3419,7 @@
+ #endif
+ 		   )))
+ 	{
+-          if (tryall_dlopen (&newhandle, filename) != 0)
++          if (tryall_dlopen (&newhandle, filename, NULL) != 0)
+             {
+               newhandle = NULL;
+             }

libtool-1.5.24-relativepath.patch

@@ -1,14 +0,0 @@
-diff -up libtool-1.5.24/libltdl/ltdl.c.relativepath libtool-1.5.24/libltdl/ltdl.c
---- libtool-1.5.24/libltdl/ltdl.c.relativepath	2007-06-01 07:04:54.000000000 +0200
-+++ libtool-1.5.24/libltdl/ltdl.c	2007-07-24 12:56:22.000000000 +0200
-@@ -3225,7 +3225,9 @@ try_dlopen (phandle, filename)
- 	}
-       if (!file)
- 	{
--	  file = fopen (filename, LT_READTEXT_MODE);
-+	  /* don't open .la files in current directory, root might get tricked to run a binary in a prepared directory */
-+	  if(!strncmp((filename + strlen(filename) - 3), LTDL_ARCHIVE_EXT,3) || strstr(filename,"/"))
-+	    file = fopen (filename, LT_READTEXT_MODE);
- 	}
- 
-       /* If we didn't find the file by now, it really isn't there.  Set

libtool.spec

@@ -3,7 +3,7 @@
 Summary: The GNU Portable Library Tool
 Name:    libtool
 Version: 1.5.26
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 License: GPLv2+ and LGPLv2+ and GFDL
 Group:   Development/Tools
 Source:  http://ftp.gnu.org/gnu/libtool/libtool-%{version}.tar.gz
@@ -13,9 +13,7 @@ Requires(post):  /sbin/install-info
 Requires(preun): /sbin/install-info
 Patch1:  libtool-1.5.24-multilib.patch
 
-# don't  read .la file in current working directory, root might get tricked
-# into running a prepared binary in that directory:
-Patch2:  libtool-1.5.24-relativepath.patch
+Patch2:  libtool-1.5.22-CVE-2009-3736.patch
 
 BuildRequires: autoconf >= 2.59, automake >= 1.9.2, texinfo
 Requires: autoconf >= 2.58, automake >= 1.4
@@ -152,6 +150,10 @@ fi
 
 
 %changelog
+* Wed Dec 02 2009 Karsten Hopp <karsten@redhat.com> 1.5.26-4.1
+- add fix for CVE-2009-3736:
+  libltdl may load and execute code from a library in the current directory
+
 * Fri Aug 29 2008 Dennis Gilmore <dennis@ausil.us> 1.5.26-4
 - rebuild for gcc-4.3.2