Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
Hi! DSA 1958 introduced a libtool update that would no longer add the current working directory to the library search path (CVE-2009-3736). This broke the mpg123 version in lenny which chdir()s to its plugin directory and relies on the previous libtool behaviour to find its output modules. Therefore, I'd like to ask for permission to upload a new version of mpg123 to proposed-updates that fixes the regression. Debdiff is attached. Regards, Daniel.
diff -u mpg123-1.4.3/debian/changelog mpg123-1.4.3/debian/changelog --- mpg123-1.4.3/debian/changelog +++ mpg123-1.4.3/debian/changelog @@ -1,3 +1,11 @@ +mpg123 (1.4.3-4lenny1) stable; urgency=medium + + * src/module.c: Backport upstream patch to fix regression in module + loading when a libltdl with a fix for CVE-2009-3736 is in place. + Closes: #572920 + + -- Daniel Kobras <[email protected]> Mon, 29 Mar 2010 11:56:52 +0200 + mpg123 (1.4.3-4) unstable; urgency=medium * src/wav.c: Backport upstream patch for writing WAV output to stdout only in patch2: unchanged: --- mpg123-1.4.3.orig/src/module.c +++ mpg123-1.4.3/src/module.c @@ -93,13 +93,14 @@ chdir(moddir); /* Work out the path of the module to open */ - module_path_len = strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1; + /* Note that we need to open ./file, not just file! */ + module_path_len = 2 + strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1; module_path = malloc( module_path_len ); if (module_path == NULL) { error1( "Failed to allocate memory for module name: %s", strerror(errno) ); goto om_bad; } - snprintf( module_path, module_path_len, "%s_%s%s", type, name, MODULE_FILE_SUFFIX ); + snprintf( module_path, module_path_len, "./%s_%s%s", type, name, MODULE_FILE_SUFFIX ); /* Display the path of the module created */ debug1( "Module path: %s", module_path );
