Bug#703467: pu: package graphviz/2.26.3-5+b1

Tue, 19 Mar 2013 16:48:18 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu

Hi Stable Release Team,

Bug #702436 has recently been reported against graphviz, which advises
that graphviz is being linked with an ancient shipped version of libltdl
instead of the system version.  On investigation it has become clear
that the version being linked against is susceptible to a known security
issue - DSA-1958-1 (CVE-2009-3736).

I have already uploaded a fixed version to unstable for release with
wheezy, but the issue also affects version 2.26.3-5 of the package
in squeeze.  Accordingly I have created an stable update and the debdiff
for this is attached - it modifies the package to use the system ltdl as
it should have been doing all along.

I have contacted the security team (RT bug #4230) and they advise
that this is relatively minor and should be approached as a stable update.

I'd appreciate it if you could take a look and advise if you would like me
to upload it.

Cheers,
  
    David.



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-2-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru graphviz-2.26.3/debian/changelog graphviz-2.26.3/debian/changelog
--- graphviz-2.26.3/debian/changelog	2010-07-04 10:12:32.000000000 +0100
+++ graphviz-2.26.3/debian/changelog	2013-03-19 23:25:23.000000000 +0000
@@ -1,3 +1,14 @@
+graphviz (2.26.3-5+squeeze1) stable; urgency=low
+
+  * Use system ltdl in place of version in subdir (Closes: #702436)
+    - Currently an ancient version of libltdl is being
+      shipped by upstream and linked against, unnoticed until now.
+      Changed configure.ac to ensure system ltdl is used instead
+    - Security issue - shipped ltdl is susceptible to issue
+      described in DSA-1958-1 (CVE-2009-3736)
+
+ -- David Claughton <d...@eclecticdave.com>  Tue, 19 Mar 2013 23:24:52 +0000
+
 graphviz (2.26.3-5) unstable; urgency=low
 
   [ David Claughton ]
diff -Nru graphviz-2.26.3/debian/patches/series graphviz-2.26.3/debian/patches/series
--- graphviz-2.26.3/debian/patches/series	2010-07-04 10:09:19.000000000 +0100
+++ graphviz-2.26.3/debian/patches/series	2013-03-19 23:25:23.000000000 +0000
@@ -8,3 +8,4 @@
 3_fix_dot_output
 3_fix_circo_segfault
 3_fix_vimdot_bashism
+use-system-ltdl.patch
diff -Nru graphviz-2.26.3/debian/patches/use-system-ltdl.patch graphviz-2.26.3/debian/patches/use-system-ltdl.patch
--- graphviz-2.26.3/debian/patches/use-system-ltdl.patch	1970-01-01 01:00:00.000000000 +0100
+++ graphviz-2.26.3/debian/patches/use-system-ltdl.patch	2013-03-19 23:25:23.000000000 +0000
@@ -0,0 +1,66 @@
+Index: graphviz/configure.ac
+===================================================================
+--- graphviz.orig/configure.ac	2013-03-10 22:51:42.000000000 +0000
++++ graphviz/configure.ac	2013-03-10 22:52:01.000000000 +0000
+@@ -464,30 +464,29 @@
+ dnl -----------------------------------
+ dnl libtool ltdl on-demand plugin loading
+ 
+-m4_ifdef([LT_INIT],
+-    [ #code that is for Libtool 2.x
+-AM_PROG_LIBTOOL
+-    ],
+-    [ #code that is for 1.5.x
+-    ])
++LT_INIT([dlopen])
++LT_CONFIG_LTDL_DIR([libltdl])
++LTDL_INIT
++
+ AC_ARG_ENABLE(ltdl,
+   [AS_HELP_STRING([--enable-ltdl],[support on-demand plugin loading])])
+ if test "x$enable_ltdl" != "xno"; then
+   AC_DEFINE(ENABLE_LTDL,1,[Define if you want on-demand plugin loading])
+-  AC_LIBTOOL_DLOPEN
+-m4_ifdef([LT_INIT],
+-    [ #code that is for Libtool 2.x
+-  LT_CONFIG_LTDL_DIR([libltdl])
+-  LTDL_INIT
+-    ],
+-    [ #code that is for 1.5.x
+-  AC_CONFIG_SUBDIRS([libltdl])
+-    ])
+   use_ltdl="Yes"
+-  
+-  AC_LIBLTDL_CONVENIENCE
+-  if test "x$DARWIN9" = "xyes"; then
+-     LIBLTDL_LDFLAGS="-Wl,-unexported_symbol,_lt_*"
++  # The lt_dladvise_init symbol was added with libtool-2.2
++  if test "x$with_included_ltdl" != "xyes"; then
++    save_CFLAGS="$CFLAGS"
++    save_LDFLAGS="$LDFLAGS"
++    CFLAGS="$CFLAGS $LTDLINCL"
++    LDFLAGS="$LDFLAGS $LIBLTDL"
++    AC_CHECK_LIB([ltdl], [lt_dladvise_init], [],
++       [AC_MSG_ERROR([installed libltdl is too old])])
++    LDFLAGS="$save_LDFLAGS"
++    CFLAGS="$save_CFLAGS"
++  else
++    if test "x$DARWIN9" = "xyes"; then
++      LIBLTDL_LDFLAGS="-Wl,-unexported_symbol,_lt_*"
++    fi
+   fi
+ else
+   use_ltdl="No (disabled)"
+@@ -496,12 +495,6 @@
+ AC_SUBST(INCLTDL)
+ AC_SUBST(LIBLTDL)
+ AC_SUBST(LIBLTDL_LDFLAGS)
+-m4_ifdef([LT_INIT],
+-    [ #code that is for Libtool 2.x
+-    ],
+-    [ #code that is for 1.5.x
+-AM_PROG_LIBTOOL
+-    ])
+ 
+ # Checks for libraries.
+ #AC_CHECK_LIB([ICE], [main])

Reply via email to