Comment 1 Torsten Veller (RETIRED) 2009-05-16 08:28:23 UTC

It does, doesn't it?

Comment 2 Torsten Veller (RETIRED) 2009-05-16 08:30:52 UTC

ehm, i was looking at the wrong log file

Comment 3 Samuli Suominen (RETIRED) 2010-03-03 11:18:42 UTC

@net-mail: Do you want to fix this, or should I lastrite it? Vulnerable to CVE-2009-3736.

Comment 4 Samuli Suominen (RETIRED) 2010-03-06 10:54:45 UTC

Created attachment 222255 [details, diff]
Use system libltdl

**Untested patch**

epatch "${FILESDIR}"/${P}-libtool.patch
rm -rf libltdl
eautoreconf

Comment 5 Hanno Böck 2010-03-06 15:12:12 UTC

I just had a look at this and think this bug is invalid. authdaemon looks to me as the only part of courier-authlib using libltdl and on my system, installed with the in-tree ebuild without any patches, it's linked against /usr/lib64/libltdl as it should:
hanno@laverne /usr/lib/courier/courier-authlib $ ldd authdaemond 
        linux-vdso.so.1 =>  (0x00007fff240a8000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007f69a2b37000)
[...]

So it seems courier-authlib bundles libltdl, but it doesn't use it if it's on the system - pretty fine imho. Correct me if I'm wrong.

Comment 6 Samuli Suominen (RETIRED) 2010-03-06 15:22:51 UTC

Created attachment 222291 [details]
build.log

You might be right, from build.log I can see only authdaemond linking to -lltdl and objdump -o confirms it's linked to system copy of libltdl.so.7.

The package builds and configures a copy of libltdl though, a bit ugly... but it never uses it

Comment 7 Samuli Suominen (RETIRED) 2010-03-06 15:23:28 UTC

(In reply to comment #6)
> and objdump -o confirms it's linked to system copy of libltdl.so.7.

sorry, -p

Comment 8 Diego Elio Pettenò (RETIRED) 2010-03-06 15:36:48 UTC

“nm -D --only-defined” over the file, does it show libltdl functions? If so it's linking *and* bundling.

Comment 9 Samuli Suominen (RETIRED) 2010-03-06 15:40:07 UTC

(In reply to comment #8)
> “nm -D --only-defined” over the file, does it show libltdl functions? If so
> it's linking *and* bundling.
> 

Doesn't look like it...

$ nm -D --defined-only /usr/lib64/courier/courier-authlib/authdaemond
0000000000403760 R _IO_stdin_used
00000000006051ec A __bss_start
00000000006051d8 D __data_start
0000000000403670 T __libc_csu_fini
0000000000403680 T __libc_csu_init
00000000006051ec A _edata
0000000000607260 A _end
0000000000403748 T _fini
00000000004014c8 T _init
00000000004018a0 T _start
0000000000605200 B courier_authdebug_login_level
00000000006051d8 W data_start
0000000000403780 R lt__PROGRAM__LTX_preloaded_symbols
0000000000403630 T main
0000000000403170 T start
0000000000605208 B stderr

Comment 10 Diego Elio Pettenò (RETIRED) 2010-03-06 15:43:50 UTC

Okay, then it's either a false positive or (more probable considered the bug# and date) was fixed over time.

Comment 11 Samuli Suominen (RETIRED) 2010-03-06 15:47:51 UTC

(In reply to comment #10)
> Okay, then it's either a false positive or (more probable considered the bug#
> and date) was fixed over time.
> 

Heh. The date...

Well, thanks both, Hanno and Diego for looking at this, let's close this then.