* Flameeyes QA Warning! Possibly bundled libraries lt_dlopen /var/tmp/portage/dev-lang/gnu-smalltalk-3.0.5/image/usr/lib/libgst.so.7.0.1 lt_dlopen /var/tmp/portage/dev-lang/gnu-smalltalk-3.0.5/image/usr/lib/smalltalk/i18n-3.0.5.so lt_dlopen /var/tmp/portage/dev-lang/gnu-smalltalk-3.0.5/image/usr/lib/smalltalk/iconv-3.0.5.so lt_dlopen /var/tmp/portage/dev-lang/gnu-smalltalk-3.0.5/image/usr/lib/smalltalk/digest-3.0.5.so * Flameeyes QA Warning (end)! Possibly bundled libraries Would be nice if it used the system ltdl copy from libtool.
These are the specific library bindings for Smalltalk. Changing these libs or generating on the fly (which isn't easy either) could introduce further problems. Upstream changes required.
*** Bug 277052 has been marked as a duplicate of this bug. ***
First of all you _always_ reply that you can't do anything and that is at least _wrong_ half the time. Second of all, libltdl might very well be vulnerable, so please do work on this. Third of all, don't dupe bugs randomly.
This issue is pretty much the same than bug #247363 So I will follow the same solution proposed there, report upstream and close this with that same status during this week. If you don't like, go and talk upstream and help them with this. Also, I will do the same with the duplicated bug #277052
This is an official QA warning to *not* do that. This is a different matter than bug 247363 because this time it involves a *known vulnerable library*. As for the test failure you duped it has nothing to do with this.
This seems to be a case of not using the bundled ltdl.{c,h} and linking against -lltdl so point in Comment #1 is moot. And like Diego pointed out, this is now case of security, CVE-2009-3736. # Samuli Suominen <ssuominen@gentoo.org> (03 Mar 2010) # Masked for QA, security # # Internal copy of vuln. libltdl, CVE-2009-3736 # # http://bugs.gentoo.org/show_bug.cgi?id=277089 # # Masked for removal in 60 days dev-lang/gnu-smalltalk
The security issue is fixed by commit 232557c9 upstream.
Also, upstream commit 0757a0cd provides --with-system-libltdl.
Thanks Paolo! Here's for maintainer (or security) convinience links to related patches, The ./configure switch, http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=0757a0cddd4df0153508069f47286cbc415f56c3 This should likely be applied too, to not build static ones, http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=a35454e6837484a468c2ed786557c8f3d47df4ce CVE patch, http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=232557c9e5a24f5dbd18ad9a2106cafb74e4e0cf
> The ./configure switch, > > http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=0757a0cddd4df0153508069f47286cbc415f56c3 > > This should likely be applied too, to not build static ones, > > http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=a35454e6837484a468c2ed786557c8f3d47df4ce Unfortunately this one, which was my first reaction to the libtool CVE, had to be reverted later (c1d40393). > CVE patch, > > http://git.savannah.gnu.org/gitweb/?p=smalltalk.git;a=patch;h=232557c9e5a24f5dbd18ad9a2106cafb74e4e0cf This is probably pointless for gentoo, but yes, it should be applied too just for safety. Paolo
Ping?
This is fixed in gnu-smalltalk-3.2 Thanks to Paolo Bonzini and Samulo Souminen for the heads up
