* Flameeyes QA Warning! Possibly bundled libraries lt_dlopen /var/tmp/portage/app-emulation/hercules-3.05/image/usr/lib/libhercu.so
fixed with 3.06
Not even slightly, still there. lt_dlopen /var/tmp/portage/app-emulation/hercules-3.06/image/usr/lib/libhercu.so
libtool, CVE-2009-3736, bug 295535 Mask for removal?
no
Very convincing. What about fixing it then?
i plan on it, so unless you have a patch pending, there's nothing to indicate this is a problem worth hassling users over
Created attachment 222215 [details, diff] Use system libltdl. **Untested.** This patch will need, epatch "${FILESDIR}"/${P}-libtool.patch rm -f ltdl.{c,h} AT_M4DIR="autoconf m4" eautoreconf Note, that I couldn't test this since the package won't compile here with or without the patch (and I don't want to pollute this bug with unrelated errors).
This will be fixed in Hercules 3.08. It was brought to my attention too late in the release cycle to be included in 3.07.
...and if someone had told me there was a security hole involved, I'd have held the 3.07 release until this could have been included. As it is, I think we're going to have to greatly accelerate the timetable for 3.08.
i doubt the security issue in ltdl would really affect users of hercules
security out.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdfa6d51218b7690f423c4cba8c4173e770ac522 commit fdfa6d51218b7690f423c4cba8c4173e770ac522 Author: David Seifert <soap@gentoo.org> AuthorDate: 2020-02-28 20:22:07 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2020-02-28 20:22:07 +0000 app-emulation/hercules: Bump to 3.13 Bug: https://bugs.gentoo.org/252716 Bug: https://bugs.gentoo.org/521032 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: David Seifert <soap@gentoo.org> app-emulation/hercules/Manifest | 1 + .../hercules/files/hercules-3.13-htmldir.patch | 25 ++ .../files/hercules-3.13-unbundle-libltdl.patch | 347 +++++++++++++++++++++ app-emulation/hercules/hercules-3.13.ebuild | 57 ++++ 4 files changed, 430 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0fa2a867cc1298a4c0cd3babab783072d2f6e102 commit 0fa2a867cc1298a4c0cd3babab783072d2f6e102 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-11-18 07:55:40 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-11-18 07:59:47 +0000 app-emulation/hercules: do not delete libtool module .la files #720342 Since hercules uses libltdl to load its internal modules, we need to leave the .la files in place for it to process. Also add subslot linkage to these libs while we're updating. Bug: https://bugs.gentoo.org/252716 Closes: https://bugs.gentoo.org/720342 Signed-off-by: Mike Frysinger <vapier@gentoo.org> .../{hercules-3.13.ebuild => hercules-3.13-r1.ebuild} | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e93a59e8449cc696897529bda6e40076e0f7bc75 commit e93a59e8449cc696897529bda6e40076e0f7bc75 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-11-18 07:43:44 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-11-18 07:59:46 +0000 app-emulation/hercules: fix ./libtool not fond warnings #791859 Use simpler logic to find shared library info, and use the system libtool to compile the test programs. This shouldn't really matter in practice as this test was defaulting to "no" when the code wasn't working correctly, and now that it is, it still ends up as "no" as the hack shouldn't be needed on Linux systems with good shared lib infrastructure. Bug: https://bugs.gentoo.org/252716 Closes: https://bugs.gentoo.org/791859 Signed-off-by: Mike Frysinger <vapier@gentoo.org> .../files/hercules-3.13-unbundle-libltdl.patch | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b606ac8a2b93199a50eba964ee276de49054500 commit 3b606ac8a2b93199a50eba964ee276de49054500 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-11-18 07:23:43 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-11-18 07:59:45 +0000 app-emulation/hercules: restore parallel install fix #772404 Bug: https://bugs.gentoo.org/252716 Closes: https://bugs.gentoo.org/772404 Signed-off-by: Mike Frysinger <vapier@gentoo.org> app-emulation/hercules/hercules-3.13.ebuild | 5 +++++ 1 file changed, 5 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7609ae8d3ee84ed7313f19f3d677f251fcb5ea50 commit 7609ae8d3ee84ed7313f19f3d677f251fcb5ea50 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-11-18 07:20:04 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-11-18 07:59:45 +0000 app-emulation/hercules: fix linking of modules with system libtool #779100 Add missing linkage to the libhercu.la module for system libtool. This doesn't normally matter as the module is loaded by hercules which itself is linked against libtool. Bug: https://bugs.gentoo.org/252716 Closes: https://bugs.gentoo.org/779100 Signed-off-by: Mike Frysinger <vapier@gentoo.org> app-emulation/hercules/files/hercules-3.13-unbundle-libltdl.patch | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
