* Flameeyes QA Warning! Possibly bundled libraries lt_dlopen /var/tmp/portage/app-emulation/hercules-3.05/image/usr/lib/libhercu.so
fixed with 3.06
Not even slightly, still there. lt_dlopen /var/tmp/portage/app-emulation/hercules-3.06/image/usr/lib/libhercu.so
libtool, CVE-2009-3736, bug 295535 Mask for removal?
no
Very convincing. What about fixing it then?
i plan on it, so unless you have a patch pending, there's nothing to indicate this is a problem worth hassling users over
Created attachment 222215 [details, diff] Use system libltdl. **Untested.** This patch will need, epatch "${FILESDIR}"/${P}-libtool.patch rm -f ltdl.{c,h} AT_M4DIR="autoconf m4" eautoreconf Note, that I couldn't test this since the package won't compile here with or without the patch (and I don't want to pollute this bug with unrelated errors).
This will be fixed in Hercules 3.08. It was brought to my attention too late in the release cycle to be included in 3.07.
...and if someone had told me there was a security hole involved, I'd have held the 3.07 release until this could have been included. As it is, I think we're going to have to greatly accelerate the timetable for 3.08.
i doubt the security issue in ltdl would really affect users of hercules
security out.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdfa6d51218b7690f423c4cba8c4173e770ac522 commit fdfa6d51218b7690f423c4cba8c4173e770ac522 Author: David Seifert <soap@gentoo.org> AuthorDate: 2020-02-28 20:22:07 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2020-02-28 20:22:07 +0000 app-emulation/hercules: Bump to 3.13 Bug: https://bugs.gentoo.org/252716 Bug: https://bugs.gentoo.org/521032 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: David Seifert <soap@gentoo.org> app-emulation/hercules/Manifest | 1 + .../hercules/files/hercules-3.13-htmldir.patch | 25 ++ .../files/hercules-3.13-unbundle-libltdl.patch | 347 +++++++++++++++++++++ app-emulation/hercules/hercules-3.13.ebuild | 57 ++++ 4 files changed, 430 insertions(+)