rpms/kdelibs3/F-11 libltdl-CVE-2009-3736.patch, NONE, 1.1 kdelibs3.spec, 1.64, 1.65
Than Ngo
than at fedoraproject.org
Mon Dec 7 15:19:31 UTC 2009
Author: than
Update of /cvs/extras/rpms/kdelibs3/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv644
Modified Files:
kdelibs3.spec
Added Files:
libltdl-CVE-2009-3736.patch
Log Message:
fix security issues in libltdl bundle within kdelibs CVE-2009-3736
libltdl-CVE-2009-3736.patch:
ltdl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE libltdl-CVE-2009-3736.patch ---
diff -ur arts-orig/libltdl/ltdl.c arts-1.1.3/libltdl/ltdl.c
--- arts-orig/libltdl/ltdl.c 2003-07-13 21:33:39.000000000 +0200
+++ arts-1.1.3/libltdl/ltdl.c 2009-11-19 16:09:29.000000000 +0100
@@ -1544,7 +1544,8 @@
/* try to open the old library first; if it was dlpreopened,
we want the preopened version of it, even if a dlopenable
module is available */
- if (old_name && tryall_dlopen(handle, old_name) == 0)
+ if (old_name && tryall_dlopen(handle, old_name,
+ advise, lt_dlloader_find ("lt_preopen") ) == 0)
{
return 0;
}
@@ -2158,7 +2159,7 @@
}
#endif
}
- if (!file)
+ else
{
file = fopen (filename, LT_READTEXT_MODE);
}
Index: kdelibs3.spec
===================================================================
RCS file: /cvs/extras/rpms/kdelibs3/F-11/kdelibs3.spec,v
retrieving revision 1.64
retrieving revision 1.65
diff -u -p -r1.64 -r1.65
--- kdelibs3.spec 2 Nov 2009 14:55:21 -0000 1.64
+++ kdelibs3.spec 7 Dec 2009 15:19:30 -0000 1.65
@@ -4,29 +4,20 @@
%define distname "Fedora"
+%if 0%{?rhel}
+%define distname "EL"
+%endif
+
%define kde_settings 1
-%define arts 1
%define arts_ev 8:1.5.10
-
-%if 0%{?fedora} > 8
%define qt3 qt3
-%else
-%define qt3_epoch 1:
-%define qt3 qt
-%endif
%define qt3_version 3.3.8b
%define qt3_ev %{?qt3_epoch}%{qt3_version}
-# unfortunately, this doesn't work for 3.3.8b which still identifies as 3.3.8
-#global qt3_ver %(pkg-config --modversion qt-mt 2>/dev/null || echo %{qt3_version})
-%define qt3_ver %{qt3_version}
-# fix this?... -- Rex
-%define qt3_docdir %{_docdir}/qt-devel-%{qt3_ver}
+%define qt3_docdir %{_docdir}/qt-devel-%{qt3_version}
%define kde_major_version 3
-%define make_cvs 1
-
%define apidocs 1
# We always include this here now because kdeartwork 4 has moved on to
@@ -36,18 +27,11 @@
Summary: K Desktop Environment 3 - Libraries
Version: 3.5.10
-Release: 14%{?dist}
+Release: 21%{?dist}
-%if 0%{?fedora} > 8
Name: kdelibs3
Obsoletes: kdelibs < 6:%{version}-%{release}
Provides: kdelibs = 6:%{version}-%{release}
-%else
-Name: kdelibs
-Epoch: 6
-Obsoletes: kdelibs3 < %{version}-%{release}
-Provides: kdelibs3 = %{version}-%{release}
-%endif
License: LGPLv2
Url: http://www.kde.org/
@@ -96,6 +80,7 @@ Patch101: kde-3.5-libtool-shlibext.patch
# kget ignores simultaneous download limit (kde #101956)
Patch103: kdelibs-3.5.0-101956.patch
Patch104: kdelibs-3.5.10-gcc44.patch
+Patch105: kdelibs-3.5.10-ossl-1.x.patch
## security fixes
# fix CVE-2009-2537 - select length DoS
@@ -112,40 +97,37 @@ Patch204: kdelibs-3.5.10-cve-2009-1698.p
Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
+# CVE-2009-3736, libltdl may load and execute code from a library in the current directory
+Patch207: libltdl-CVE-2009-3736.patch
-#{?arts:Requires: arts >= %{arts_ev}}
-#Requires: %{qt3} >= %{qt3_ev}
Requires: hicolor-icon-theme
%if %{kde_settings}
Requires: kde-settings >= 3.5
%endif
Requires: kde-filesystem
-%if "%{name}" != "kdelibs"
Requires: kdelibs-common
-%endif
Requires: redhat-menus
Requires: shadow-utils
BuildRequires: sudo
Requires(hint): sudo
-%if 0%{?fedora} > 4 || 0%{?rhel} > 4
-%define libkdnssd libkdnssd
-# omit for now, may contribute to http://bugzilla.redhat.com/441222
-#Requires: %{libkdnssd}
+%if 0%{?fedora}
+%define libkdnssd libkdnssd
+%endif
%define BuildRequires: xorg-x11-proto-devel libX11-devel
%define _with_rgbfile --with-rgbfile=%{_datadir}/X11/rgb.txt
Requires: iceauth
-%endif
Requires(pre): coreutils
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
+Requires: hunspell
BuildRequires: gettext
BuildRequires: pcre-devel
BuildRequires: cups-devel cups
BuildRequires: %{qt3}-devel %{qt3}-devel-docs
-%{?arts:BuildRequires: arts-devel >= %{arts_ev}}
+BuildRequires: arts-devel >= %{arts_ev}
BuildRequires: flex >= 2.5.4a-13
BuildRequires: doxygen
BuildRequires: libxslt-devel
@@ -167,30 +149,18 @@ BuildRequires: libart_lgpl-devel
BuildRequires: bzip2-devel
BuildRequires: libtiff-devel
BuildRequires: libacl-devel libattr-devel
-%if 0%{?fedora} >= 9
BuildRequires: enchant-devel
-Requires: hunspell
-%else
-BuildRequires: aspell-devel
-%endif
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: db4-devel
BuildRequires: alsa-lib-devel
BuildRequires: pkgconfig
BuildRequires: glibc-kernheaders
-%if 0%{?fedora} > 5 || 0%{?rhel} > 4
-%define _with_libutempter 1
BuildRequires: libutempter-devel
-%else
-BuildRequires: utempter
-%endif
BuildRequires: findutils
BuildRequires: jasper-devel
BuildRequires: OpenEXR-devel
-%if %{make_cvs}
BuildRequires: automake libtool
-%endif
%if "%{name}" != "kdelibs" && "%{?apidocs}" != "1"
Obsoletes: kdelibs-apidocs < 6:%{version}-%{release}
@@ -215,17 +185,12 @@ kimgio (image manipulation).
%package devel
Group: Development/Libraries
Summary: Header files and documentation for compiling KDE 3 applications.
-%if "%{name}" == "kdelibs"
-Obsoletes: kdelibs3-devel < %{version}-%{release}
-Provides: kdelibs3-devel = %{version}-%{release}
-%else
Obsoletes: kdelibs-devel < 6:%{version}-%{release}
Provides: kdelibs-devel = 6:%{version}-%{release}
-%endif
Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: %{qt3}-devel
Requires: openssl-devel
-%{?arts:Requires: arts-devel}
+Requires: arts-devel
%{?libkdnssd:Requires: libkdnssd-devel}
%description devel
This package includes the header files you will need to compile
@@ -235,15 +200,9 @@ applications for KDE 3.
Group: Development/Documentation
Summary: KDE 3 API documentation.
Requires: %{name} = %{?epoch:%{epoch}:}%{version}
-%if "%{name}" == "kdelibs"
-Provides: kdelibs3-apidocs = %{version}-%{release}
-%else
Obsoletes: kdelibs-apidocs < 6:%{version}-%{release}
Provides: kdelibs-apidocs = 6:%{version}-%{release}
-%endif
-%if 0%{?fedora} > 9
BuildArch: noarch
-%endif
%description apidocs
This package includes the KDE 3 API documentation in HTML
@@ -266,26 +225,23 @@ format for easy browsing
%patch38 -p1 -b .cupsdconf2-group
%patch39 -p1 -b .kabc-make
%patch40 -p1 -b .kdeprint-utf8
-%{?_with_libutempter:%patch41 -p1 -b .utempter}
+%patch41 -p1 -b .utempter
%patch43 -p1 -b .lang
%patch45 -p1 -b .xdg-autostart
%patch46 -p1 -b .kate-vhdl
-%if 0%{?fedora} >= 9
%patch48 -p1 -b .kspell
%patch49 -p1 -b .kspell2
%patch50 -p1 -b .no-ispell
-%endif
%patch51 -p1 -b .cupsserverbin
%patch52 -p1 -b .KDE3
-%if "%{name}" != "kdelibs"
%patch53 -p1 -b .drkonqi-kde4
-%endif
%patch54 -p1 -b .flock-redefinition
%patch55 -p1 -b .latex-syntax
%patch100 -p1 -b .kstandarddirs
%patch101 -p1 -b .libtool-shlibext
%patch104 -p1 -b .gcc44
+%patch105 -p1 -b .ossl-1.x
# security fixes
%patch200 -p1 -b .cve-2009-2537
@@ -295,14 +251,13 @@ format for easy browsing
%patch204 -p1 -b .cve-2009-1698
%patch205 -p1 -b .cve-2009-2702
%patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
+%patch207 -p1 -b .CVE-2009-3736
sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
-%if %{make_cvs}
# hack/fix for newer automake
- sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
- make -f admin/Makefile.common cvs
-%endif
+sed -iautomake -e 's|automake\*1.10\*|automake\*1.1[0-5]\*|' admin/cvs.sh
+make -f admin/Makefile.common cvs
%build
@@ -337,17 +292,12 @@ export DO_NOT_COMPILE="libkscreensaver"
--enable-sendfile \
--with-distribution="$(cat /etc/redhat-release 2>/dev/null)" \
--with-alsa \
-%if 0%{?fedora} >= 9
--without-aspell \
-%else
- --with-aspell \
-%endif
--without-hspell \
--disable-libfam \
--enable-dnotify \
--enable-inotify \
--with-utempter \
- %{!?arts:--without-arts} \
%{?_with_rgbfile} \
--with-jasper \
--with-openexr \
@@ -387,14 +337,9 @@ for i in *; do
done
popd
+%if 0%{?fedora} < 12 && 0%{?rhel} < 6
install -p -m 644 -D %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/kde.sh
install -p -m 644 -D %{SOURCE2} %{buildroot}%{_sysconfdir}/profile.d/kde.csh
-
-%if "%{name}" == "kdelibs"
-# menus
-mkdir -p %{buildroot}%{_sysconfdir}/kde/xdg/menus
-mv %{buildroot}%{_sysconfdir}/xdg/menus/applications.menu \
- %{buildroot}%{_sysconfdir}/xdg/menus/kde-applications.menu
%endif
# Use hicolor-icon-theme rpm/pkg instead (#178319)
@@ -432,7 +377,6 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.
rm -f %{buildroot}%{_libdir}/libkdnssd.la
%{?libkdnssd:rm -rf %{buildroot}{%{_libdir}/libkdnssd.*,%{_includedir}/kde/dnssd}}
-%if "%{name}" != "kdelibs"
# remove conflicts with kdelibs-4
rm -f %{buildroot}%{_bindir}/checkXML
rm -f %{buildroot}%{_bindir}/ksvgtopng
@@ -480,7 +424,7 @@ rm -f %{buildroot}%{_docdir}/HTML/en/com
rm -rf %{buildroot}%{_datadir}/locale/all_languages
rm -rf %{buildroot}%{_sysconfdir}/xdg/menus/
rm -rf %{buildroot}%{_datadir}/autostart/
-rm -r %{buildroot}%{_datadir}/config/colors/40.colors
+rm -f %{buildroot}%{_datadir}/config/colors/40.colors
rm -f %{buildroot}%{_datadir}/config/colors/Rainbow.colors
rm -f %{buildroot}%{_datadir}/config/colors/Royal.colors
rm -f %{buildroot}%{_datadir}/config/colors/Web.colors
@@ -490,8 +434,6 @@ rm -f %{buildroot}%{_bindir}/preparetips
# don't show kresources
sed -i -e "s,^OnlyShowIn=KDE;,OnlyShowIn=KDE3;," %{buildroot}%{_datadir}/applications/kde/kresources.desktop
-%endif
-
%if 0%{?include_crystalsvg} == 0
# remove all crystalsvg icons for now
rm -rf %{buildroot}%{_datadir}/icons/crystalsvg/
@@ -534,7 +476,9 @@ touch --no-create %{_datadir}/icons/crys
%defattr(-,root,root,-)
%doc README
%doc COPYING.LIB
+%if 0%{?fedora} < 12 && 0%{?rhel} < 6
%config(noreplace) %{_sysconfdir}/profile.d/*
+%endif
%{_bindir}/artsmessage
%{_bindir}/cupsdconf
%{_bindir}/cupsdoprint
@@ -606,28 +550,13 @@ touch --no-create %{_datadir}/icons/crys
%{_datadir}/servicetypes/*
%ghost %{_datadir}/services/ksycoca
%{_docdir}/HTML/en/kspell
-%if "%{name}" == "kdelibs"
-%{_sysconfdir}/xdg/menus/*.menu
-%{_datadir}/autostart/*
-# include also the conflicting file in kdelibs fedora < 9
-%{_docdir}/HTML/en/common
-%{_datadir}/locale/all_languages
-%else
%{_docdir}/HTML/en/common/*
-%endif
%if 0%{?include_crystalsvg}
%{_datadir}/icons/crystalsvg/
%endif
%files devel
%defattr(-,root,root,-)
-# include also the conflicting file in kdelibs-devel fedora < 9
-%if "%{name}" == "kdelibs"
-%{_bindir}/checkXML
-%{_bindir}/ksvgtopng
-%{_bindir}/kunittestmodrunner
-%{_bindir}/preparetips
-%endif
%{_bindir}/dcopidl*
%{_bindir}/kconfig_compiler
%{_bindir}/makekdewidgets
@@ -646,12 +575,30 @@ touch --no-create %{_datadir}/icons/crys
%changelog
-* Mon Nov 2 2009 Lukáš Tinkl <ltinkl at redhat.com> - 3.5.10-14
+* Mon Dec 07 2009 Than Ngo <than at redhat.com> - 3.5.10-21
+- fix security issues in libltdl bundle within kdelibs CVE-2009-3736
+
+* Mon Nov 2 2009 Lukáš Tinkl <ltinkl at redhat.com> - 3.5.10-20
- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
-* Sun Sep 06 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.5.10-13.1
+* Mon Sep 28 2009 Rex Dieter <rdieter at fedoraproject.org> - 3.5.10-19
+- Conflicts with kde-settings (#526109)
+
+* Mon Sep 28 2009 Than Ngo <than at redhat.com> - 3.5.10-18
+- rhel cleanup
+
+* Wed Sep 23 2009 Rex Dieter <rdieter at fedoraproject.org> - 3.5.10-17
+- move /etc/profile.d/kde.(sh|csh) to kde-settings (F-12+)
+
+* Fri Sep 04 2009 Than Ngo <than at redhat.com> - 3.5.10-16
+- openssl-1.0 build fixes
+
+* Fri Sep 04 2009 Than Ngo <than at redhat.com> - 3.5.10-15
- fix for CVE-2009-2702
+* Thu Sep 03 2009 Rex Dieter <rdieter at fedoraproject.org> - 3.5.10-14
+- kde.(sh|csh): drop KDE_IS_PRELINKED (workaround bug #515539)
+
* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.5.10-13
- fix CVE-2009-2537 - select length DoS
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
More information about the fedora-extras-commits
mailing list