Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252716 - app-emulation/hercules bundles a copy of libltdl
Summary: app-emulation/hercules bundles a copy of libltdl
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: s390 team
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks: bundled-libs
  Show dependency tree
 
Reported: 2008-12-27 17:16 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2020-02-28 20:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Use system libltdl. (hercules-3.06-libtool.patch,11.92 KB, patch)
2010-03-05 21:27 UTC, Samuli Suominen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-27 17:16:06 UTC
* Flameeyes QA Warning! Possibly bundled libraries
lt_dlopen  /var/tmp/portage/app-emulation/hercules-3.05/image/usr/lib/libhercu.so
Comment 1 SpanKY gentoo-dev 2009-01-11 08:36:00 UTC
fixed with 3.06
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-01-20 22:29:14 UTC
Not even slightly, still there.

lt_dlopen  /var/tmp/portage/app-emulation/hercules-3.06/image/usr/lib/libhercu.so
Comment 3 Samuli Suominen gentoo-dev 2010-03-03 09:03:05 UTC
libtool, CVE-2009-3736, bug 295535

Mask for removal?
Comment 4 SpanKY gentoo-dev 2010-03-05 18:03:15 UTC
no
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-05 19:47:32 UTC
Very convincing. What about fixing it then?
Comment 6 SpanKY gentoo-dev 2010-03-05 20:56:25 UTC
i plan on it, so unless you have a patch pending, there's nothing to indicate this is a problem worth hassling users over
Comment 7 Samuli Suominen gentoo-dev 2010-03-05 21:27:03 UTC
Created attachment 222215 [details, diff]
Use system libltdl.

**Untested.** 

This patch will need,

epatch "${FILESDIR}"/${P}-libtool.patch
rm -f ltdl.{c,h}
AT_M4DIR="autoconf m4" eautoreconf

Note, that I couldn't test this since the package won't compile here with or without the patch (and I don't want to pollute this bug with
unrelated errors).
Comment 8 Jay Maynard 2010-03-22 17:31:53 UTC
This will be fixed in Hercules 3.08. It was brought to my attention too late in the release cycle to be included in 3.07.
Comment 9 Jay Maynard 2010-03-22 17:34:49 UTC
...and if someone had told me there was a security hole involved, I'd have held the 3.07 release until this could have been included. As it is, I think we're going to have to greatly accelerate the timetable for 3.08.
Comment 10 SpanKY gentoo-dev 2010-03-22 19:48:38 UTC
i doubt the security issue in ltdl would really affect users of hercules
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-15 22:58:00 UTC
security out.
Comment 12 Larry the Git Cow gentoo-dev 2020-02-28 20:22:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdfa6d51218b7690f423c4cba8c4173e770ac522

commit fdfa6d51218b7690f423c4cba8c4173e770ac522
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-02-28 20:22:07 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-02-28 20:22:07 +0000

    app-emulation/hercules: Bump to 3.13
    
    Bug: https://bugs.gentoo.org/252716
    Bug: https://bugs.gentoo.org/521032
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: David Seifert <soap@gentoo.org>

 app-emulation/hercules/Manifest                    |   1 +
 .../hercules/files/hercules-3.13-htmldir.patch     |  25 ++
 .../files/hercules-3.13-unbundle-libltdl.patch     | 347 +++++++++++++++++++++
 app-emulation/hercules/hercules-3.13.ebuild        |  57 ++++
 4 files changed, 430 insertions(+)