Bug#578542: pu: package mpg123/1.4.3-4lenny1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi!
DSA 1958 introduced a libtool update that would no longer add the current
working directory to the library search path (CVE-2009-3736). This broke the
mpg123 version in lenny which chdir()s to its plugin directory and relies on
the previous libtool behaviour to find its output modules. Therefore, I'd like
to ask for permission to upload a new version of mpg123 to proposed-updates
that fixes the regression. Debdiff is attached.
Regards,
Daniel.
diff -u mpg123-1.4.3/debian/changelog mpg123-1.4.3/debian/changelog
--- mpg123-1.4.3/debian/changelog
+++ mpg123-1.4.3/debian/changelog
@@ -1,3 +1,11 @@
+mpg123 (1.4.3-4lenny1) stable; urgency=medium
+
+ * src/module.c: Backport upstream patch to fix regression in module
+ loading when a libltdl with a fix for CVE-2009-3736 is in place.
+ Closes: #572920
+
+ -- Daniel Kobras <kobras@debian.org> Mon, 29 Mar 2010 11:56:52 +0200
+
mpg123 (1.4.3-4) unstable; urgency=medium
* src/wav.c: Backport upstream patch for writing WAV output to stdout
only in patch2:
unchanged:
--- mpg123-1.4.3.orig/src/module.c
+++ mpg123-1.4.3/src/module.c
@@ -93,13 +93,14 @@
chdir(moddir);
/* Work out the path of the module to open */
- module_path_len = strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1;
+ /* Note that we need to open ./file, not just file! */
+ module_path_len = 2 + strlen(type) + 1 + strlen(name) + strlen(MODULE_FILE_SUFFIX) + 1;
module_path = malloc( module_path_len );
if (module_path == NULL) {
error1( "Failed to allocate memory for module name: %s", strerror(errno) );
goto om_bad;
}
- snprintf( module_path, module_path_len, "%s_%s%s", type, name, MODULE_FILE_SUFFIX );
+ snprintf( module_path, module_path_len, "./%s_%s%s", type, name, MODULE_FILE_SUFFIX );
/* Display the path of the module created */
debug1( "Module path: %s", module_path );
Reply to: