Fix a potential security issue in libltdl by making sure that the

current directory is not included in the search path. Bump revision
of libltdl. Patch backported from tez@

2 files changed, 95 insertions, 1 deletions

diff --git a/devel/libtool/distinfo b/devel/libtool/distinfo
index d077b5e857c..436077df600 100644
--- a/devel/libtool/distinfo
+++ b/devel/libtool/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.74 2009/07/08 21:01:43 markd Exp $
+$NetBSD: distinfo,v 1.75 2009/12/15 17:07:43 joerg Exp $
 
 SHA1 (libtool-1.5.26.tar.gz) = 4c1738351736562a951a345e24f233d00953ec0a
 RMD160 (libtool-1.5.26.tar.gz) = 4d1d7dd0308b98e8f590723ae5daddb8da49ac11
@@ -7,3 +7,4 @@ SHA1 (patch-aa) = 4c979de3439dfffa48295e094c1aee40c7e79fa6
 SHA1 (patch-ab) = 271e58419f0581f02b69094e865c16126b554f7b
 SHA1 (patch-ac) = 52f22f3f7a58e22d2240d0c6bb77455783ee5d70
 SHA1 (patch-ad) = e3e3164b1e9598deab233450a1f7a8262dd09d66
+SHA1 (patch-ae) = 958897656acd515487ddb0ae66cbc95e8531fbc4
diff --git a/devel/libtool/patches/patch-ae b/devel/libtool/patches/patch-ae
new file mode 100644
index 00000000000..c165320140b
--- /dev/null
+++ b/devel/libtool/patches/patch-ae
@@ -0,0 +1,93 @@
+$NetBSD: patch-ae,v 1.8 2009/12/15 17:07:43 joerg Exp $
+backport of libltdl 2.26b security fixes from gnu git repo
+
+--- libltdl/ltdl.c.orig	2009-11-30 18:14:58.302462100 -0600
++++ libltdl/ltdl.c	2009-11-30 18:17:57.759481200 -0600
+@@ -2192,7 +2192,8 @@
+ static	int	try_dlopen	      LT_PARAMS((lt_dlhandle *handle,
+ 						 const char *filename));
+ static	int	tryall_dlopen	      LT_PARAMS((lt_dlhandle *handle,
+-						 const char *filename));
++						 const char *filename,
++						 const char * useloader));
+ static	int	unload_deplibs	      LT_PARAMS((lt_dlhandle handle));
+ static	int	lt_argz_insert	      LT_PARAMS((char **pargz,
+ 						 size_t *pargz_len,
+@@ -2390,9 +2391,10 @@
+ }
+ 
+ static int
+-tryall_dlopen (handle, filename)
++tryall_dlopen (handle, filename, useloader)
+      lt_dlhandle *handle;
+      const char *filename;
++     const char *useloader;
+ {
+   lt_dlhandle	 cur;
+   lt_dlloader   *loader;
+@@ -2459,6 +2461,11 @@
+ 
+   while (loader)
+     {
++      if (useloader && strcmp(loader->loader_name, useloader))
++	{
++	  loader = loader->next;
++	  continue;
++	}
+       lt_user_data data = loader->dlloader_data;
+ 
+       cur->module = loader->module_open (data, filename);
+@@ -2528,7 +2535,7 @@
+       error += tryall_dlopen_module (handle,
+ 				     (const char *) 0, prefix, filename);
+     }
+-  else if (tryall_dlopen (handle, filename) != 0)
++  else if (tryall_dlopen (handle, filename, NULL) != 0)
+     {
+       ++error;
+     }
+@@ -2549,7 +2556,7 @@
+   /* Try to open the old library first; if it was dlpreopened,
+      we want the preopened version of it, even if a dlopenable
+      module is available.  */
+-  if (old_name && tryall_dlopen (handle, old_name) == 0)
++  if (old_name && tryall_dlopen (handle, old_name, "dlpreload") == 0)
+     {
+       return 0;
+     }
+@@ -2813,7 +2820,7 @@
+ 
+   /* Try to dlopen the file, but do not continue searching in any
+      case.  */
+-  if (tryall_dlopen (handle, filename) != 0)
++  if (tryall_dlopen (handle, filename,NULL) != 0)
+     *handle = 0;
+ 
+   return 1;
+@@ -3103,7 +3110,7 @@
+       /* lt_dlclose()ing yourself is very bad!  Disallow it.  */
+       LT_DLSET_FLAG (*phandle, LT_DLRESIDENT_FLAG);
+ 
+-      if (tryall_dlopen (&newhandle, 0) != 0)
++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
+ 	{
+ 	  LT_DLFREE (*phandle);
+ 	  return 1;
+@@ -3225,7 +3232,7 @@
+ 	    }
+ #endif
+ 	}
+-      if (!file)
++      else
+ 	{
+ 	  file = fopen (filename, LT_READTEXT_MODE);
+ 	}
+@@ -3412,7 +3419,7 @@
+ #endif
+ 		   )))
+ 	{
+-          if (tryall_dlopen (&newhandle, filename) != 0)
++          if (tryall_dlopen (&newhandle, filename, NULL) != 0)
+             {
+               newhandle = NULL;
+             }