tags 559803 + patch
thanks
Dear Andreas,
I have prepared an NMU for cvsnt (version 2.5.04.3236-1.2) to use
the system libtool/libltdl instead of its own bundled version,
according to Policy §4.13, thus fixing CVE-2009-3736.
As was suggested here at the BSP, I’ll have it uploaded into
unstable instead of a DELAYED/2, since it’s a security issue.
bye,
//mirabilos
--
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font. -- Rob Pike in Notes on Programming in Creverted: cvsnt-2.5.04.3236/config.sub
reverted: cvsnt-2.5.04.3236/config.guess
(note, these will be auto-reverted by debian/rules clean anyway, hence
the diff for these is not included for brevity)
diff -u cvsnt-2.5.04.3236/debian/control cvsnt-2.5.04.3236/debian/control
--- cvsnt-2.5.04.3236/debian/control
+++ cvsnt-2.5.04.3236/debian/control
@@ -3,7 +3,8 @@
Priority: optional
Maintainer: Andreas Tscharner a...@vis.ethz.ch
Uploaders: Christian Bayle ba...@debian.org
-Build-Depends: debhelper (= 7.0.17), autotools-dev, zlib1g-dev,
libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev,
libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch
+Build-Depends: debhelper (= 7.0.17), autotools-dev, zlib1g-dev,
libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev,
libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch, autoconf (=
2.61~), automake1.10, libltdl-dev, libtool
+Build-Conflicts: autoconf2.13, automake1.4
Standards-Version: 3.8.1
Homepage: http://www.cvsnt.org/wiki/Download
diff -u cvsnt-2.5.04.3236/debian/changelog cvsnt-2.5.04.3236/debian/changelog
--- cvsnt-2.5.04.3236/debian/changelog
+++ cvsnt-2.5.04.3236/debian/changelog
@@ -1,3 +1,11 @@
+cvsnt (2.5.04.3236-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Use autoreconf in order to use system libltdl instead of the bundled
+one (upgrading from 1.x to 2.2). (Closes: #559803) (CVE-2009-3736)
+
+ -- Thorsten Glaser t...@mirbsd.de Sun, 24 Jan 2010 15:40:34 +
+
cvsnt (2.5.04.3236-1.1) unstable; urgency=medium
[Jari Aalto]
diff -u cvsnt-2.5.04.3236/debian/rules cvsnt-2.5.04.3236/debian/rules
--- cvsnt-2.5.04.3236/debian/rules
+++ cvsnt-2.5.04.3236/debian/rules
@@ -27,15 +27,16 @@
CFLAGS += -O2
endif
-config.status: configure
+config.status: patch-stamp configure.in
dh_testdir
+ autoreconf -fvi
# Add here commands to configure the package.
- CFLAGS=$(CFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE)
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man
--infodir=\$${prefix}/share/info
+ CFLAGS=$(CFLAGS) ./configure --host=$(DEB_HOST_GNU_TYPE)
--build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man
--infodir=\$${prefix}/share/info --without-included-ltdl
build: build-stamp
-build-stamp: config.status patch-stamp
+build-stamp: config.status
dh_testdir
# Add here commands to compile the package.
@@ -51,13 +52,22 @@
# Add here commands to clean up after the build process.
[ ! -f Makefile ] || $(MAKE) distclean
-ifneq $(wildcard /usr/share/misc/config.sub)
- cp -f /usr/share/misc/config.sub config.sub
-endif
-ifneq $(wildcard /usr/share/misc/config.guess)
- cp -f /usr/share/misc/config.guess config.guess
-endif
+ rm -rf aclocal.m4 libltdl config.guess config.sub pcre/aclocal.m4 \
+ pcre/config.h.in pcre/configure pcre/ltmain.sh zlib/zconf.h \
+ INSTALL config.h.in configure depcomp install-sh ltmain.sh \
+ missing mkinstalldirs
+ find . -name Makefile.in | while read name; do \
+ test '!' -e $${name%in}am || rm -f $$name; \
+ done
+ cd libxml rm -f INSTALL aclocal.m4 config.guess config.h.in \
+ config.sub configure depcomp install-sh ltmain.sh missing \
+ mkinstalldirs
+ cd protocols/ntlm rm -f m4/libtool.m4 m4/ltoptions.m4 \
+ m4/ltsugar.m4 m4/ltversion.m4 m4/'lt~obsolete.m4' INSTALL \
+ aclocal.m4 config.guess config.h.in config.sub configure \
+ depcomp install-sh ltmain.sh missing mkinstalldirs
+ mkdir libltdl
dh_clean version_check
diff -u cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
--- cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
+++ cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
@@ -1,28 +1,54 @@
-#! /bin/sh -e
+#! /bin/sh /usr/share/dpatch/dpatch-run
## config.dpatch
-## Ralf Treinen trei...@debian.org
+## Thorsten Glaser t...@mirbsd.org
##
## All lines beginning with `## DP:' are a description of the patch.
-## DP: replace all config.{guess,sub} by the vesion installed in
-## DP: /usr/share/misc
+## DP: fix autoconf system to work