252716 – app-emulation/hercules bundles a copy of libltdl

Bug 252716 - app-emulation/hercules bundles a copy of libltdl

Summary: app-emulation/hercules bundles a copy of libltdl

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	s390 team

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:	bundled-libs
	Show dependency tree

Reported:	2008-12-27 17:16 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2020-02-28 20:22 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Use system libltdl. (hercules-3.06-libtool.patch,11.92 KB, patch) 2010-03-05 21:27 UTC, Samuli Suominen	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2008-12-27 17:16:06 UTC

* Flameeyes QA Warning! Possibly bundled libraries
lt_dlopen  /var/tmp/portage/app-emulation/hercules-3.05/image/usr/lib/libhercu.so

Comment 1 SpanKY gentoo-dev

2009-01-11 08:36:00 UTC

fixed with 3.06

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2009-01-20 22:29:14 UTC

Not even slightly, still there.

lt_dlopen  /var/tmp/portage/app-emulation/hercules-3.06/image/usr/lib/libhercu.so

Comment 3 Samuli Suominen gentoo-dev

2010-03-03 09:03:05 UTC

libtool, CVE-2009-3736, bug 295535

Mask for removal?

Comment 4 SpanKY gentoo-dev

2010-03-05 18:03:15 UTC

no

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-03-05 19:47:32 UTC

Very convincing. What about fixing it then?

Comment 6 SpanKY gentoo-dev

2010-03-05 20:56:25 UTC

i plan on it, so unless you have a patch pending, there's nothing to indicate this is a problem worth hassling users over

Comment 7 Samuli Suominen gentoo-dev

2010-03-05 21:27:03 UTC

Created attachment 222215 [details, diff]
Use system libltdl.

**Untested.** 

This patch will need,

epatch "${FILESDIR}"/${P}-libtool.patch
rm -f ltdl.{c,h}
AT_M4DIR="autoconf m4" eautoreconf

Note, that I couldn't test this since the package won't compile here with or without the patch (and I don't want to pollute this bug with
unrelated errors).

Comment 8 Jay Maynard 2010-03-22 17:31:53 UTC

This will be fixed in Hercules 3.08. It was brought to my attention too late in the release cycle to be included in 3.07.

Comment 9 Jay Maynard 2010-03-22 17:34:49 UTC

...and if someone had told me there was a security hole involved, I'd have held the 3.07 release until this could have been included. As it is, I think we're going to have to greatly accelerate the timetable for 3.08.

Comment 10 SpanKY gentoo-dev

2010-03-22 19:48:38 UTC

i doubt the security issue in ltdl would really affect users of hercules

Comment 11 Aaron Bauman Gentoo Infrastructure

2019-04-15 22:58:00 UTC

security out.

Comment 12 Larry the Git Cow gentoo-dev

2020-02-28 20:22:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdfa6d51218b7690f423c4cba8c4173e770ac522

commit fdfa6d51218b7690f423c4cba8c4173e770ac522
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-02-28 20:22:07 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-02-28 20:22:07 +0000

    app-emulation/hercules: Bump to 3.13
    
    Bug: https://bugs.gentoo.org/252716
    Bug: https://bugs.gentoo.org/521032
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: David Seifert <soap@gentoo.org>

 app-emulation/hercules/Manifest                    |   1 +
 .../hercules/files/hercules-3.13-htmldir.patch     |  25 ++
 .../files/hercules-3.13-unbundle-libltdl.patch     | 347 +++++++++++++++++++++
 app-emulation/hercules/hercules-3.13.ebuild        |  57 ++++
 4 files changed, 430 insertions(+)