After installing libtool-2.2.6b mpg123 stops working with the following error "[module.c:138] error: Failed to open module alsa: file not found [module.c:138] error: Failed to open module dummy: file not found " According to libtool's changelog "Don't load module.la from current directory by default. * libltdl/ltdl.c (try_dlopen): Do not attempt to load an unqualified module.la file from the current directory (by default) since doing so is insecure and is not compliant with the documentation." Last version of mpg123 (1.9.2, not yet in portage) is still affected, upstream seems aware of the problem. Reproducible: Always
Same here with libtool-2.2.6b: [module.c:138] error: Failed to open module alsa: file not found [module.c:138] error: Failed to open module sdl: file not found [module.c:138] error: Failed to open module jack: file not found [audio.c:180] error: Unable to find a working output module in this list: alsa,sdl,jack [audio.c:527] error: Failed to open audio output module [mpg123.c:779] error: Failed to initialize output, goodbye. Problem solved after downgrading to sys-devel/libtool-2.2.6a
the lastest upstream commit fixes this bug, i've tried a quick hack to the ebuild (version bump+libtool patch) and 1.9.2+libtools-2.2.6b now works here.
Created attachment 211056 [details, diff] Diff -u from mpg-123 1.9.0
Created attachment 211057 [details, diff] Libtool-2.2.6b compatibility patch from http://www.mpg123.org/cgi-bin/viewvc.cgi/trunk/src/module.c?r1=2377&r2=2446&sortby=date
@security: Please (re)read the first comment. If I'm not mistaken, you can run arbituary plugins (arbitrary code execution) long as you have write access to the directory mpg123 is ran from and pkgs like net-misc/liveice (servers) are using this. Wouldn't this cause pretty much any security situation, including privilege escalations? That said, it's now bumped in portage, *mpg123-1.9.2 (01 Dec 2009) 01 Dec 2009; Samuli Suominen <ssuominen@gentoo.org> +mpg123-1.9.2.ebuild, +files/mpg123-1.9.2-libtool.patch: Version bump wrt #294106, thanks to Shark <shark at bitchx.it> for reporting. Fix ABI handling wrt #295075, thanks to Ferret <ferret at explodingferret.com> for reporting.
Ok, it looks like it's only a problem if LD_LIBRARY_PATH is set to "." as per IRC discussion. And requesting it stable, to prevent people from doing dummy things, Please test and mark stable =media-sound/mpg123-1.9.2
Stable for HPPA.
amd64/x86 stable
ppc64 done
sparc stable
Stable for PPC.
alpha/ia64 stable, closing
Not so fast. GLSA request filed, waiting for GLSA to be magically produced...
Upstream has released mpg123-1.10.0 which incorporate the libtool patch.
Sorry, I have seen that this is assigned to security, reverting summary change since maybe this bug will be used for GLSA
doesn't need glsa, imho. removing sound@ from CC now, if you need us, please add back.
This should probably be closed this the version doesn't exist in the tree anymore.
Vote: NO, too. Closing noglsa.
