tags 559808 + help thanks On Wed, Dec 30, 2009 at 01:29:50PM +0100, Moritz Muehlenhoff wrote: > Gnash already has a Build-Depennds on the shared copy, but it appears > as if only the hppa build links against the system copy. I suppose > this needs to be configured explicitely by passing "--without-included-ltdl" > to the configure call.
I've been rebuilding gnash passing explicitly --without-included-ltdl (patch attached), but that does not seem to be enough to have the main gnash package linked against system-wide ltdl. ldd confirms that the gtk-gnash executable is not linked against ltdl, whereas the other binary packages of gnash does link against the system-wide library (that was the case also without the patch). At first sight configure.ac seems to be doing the right thing in _not_ forcing the convenience library (it does that only if older versions of libltdl are found in the sources, which is no longer the case). Bottom line: some more investigation is needed Maintainer: any comment? Cheers. -- Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7 z...@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/ Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
diff -u gnash-0.8.6/debian/changelog gnash-0.8.6/debian/changelog --- gnash-0.8.6/debian/changelog +++ gnash-0.8.6/debian/changelog @@ -1,3 +1,11 @@ +gnash (0.8.6-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Force building against system version of libltdl. Fix CVE-2009-3736 + (on all archs). (Closes: #559808) + + -- Stefano Zacchiroli <z...@debian.org> Sun, 24 Jan 2010 15:56:05 +0100 + gnash (0.8.6-2) unstable; urgency=low [ Miriam Ruiz ] diff -u gnash-0.8.6/debian/rules gnash-0.8.6/debian/rules --- gnash-0.8.6/debian/rules +++ gnash-0.8.6/debian/rules @@ -63,6 +63,7 @@ --with-npapi-plugindir=\$${prefix}/lib/gnash \ --with-kde-pluginprefix=\$${prefix} \ --with-plugins-install=system \ + --without-included-ltdl \ --enable-shared=yes \ --enable-sdk-install \ --enable-lotsa-warnings \