Bug#598664: unblock: lastfm/1:1.5.4.26862+dfsg-5

[John Stamp <jstamp@users.sourceforge.net>]

On Sun, Oct 03, 2010 at 04:01:11PM +0200, Julien Cristau wrote:
> On Thu, Sep 30, 2010 at 14:47:46 -0700, John Stamp wrote:
> 
> > Please unblock package lastfm
> > 
> > It contains a security relevant bugfix: CVE-2010-3362 (#598294)
> > 
> It also contains a bunch of other unrelated changes, not documented in
> the changelog.
> 
> Cheers,
> Julien

Yikes.  I'm sorry about that.  I backed out the undocumented patches and
uploaded -6, which now only adds the fix for CVE-2010-3362.

The diff from the version in testing is below:

diff --git a/debian/changelog b/debian/changelog
index 4ee2479..47f5048 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+lastfm (1:1.5.4.26862+dfsg-6) unstable; urgency=high
+
+  * Back out the undocumented changes that sneaked in with -5.  We only want
+    the fix for CVE-2010-3362.
+
+ -- John Stamp <jstamp@users.sourceforge.net>  Mon, 04 Oct 2010 13:23:01 -0700
+
+lastfm (1:1.5.4.26862+dfsg-5) unstable; urgency=high
+
+  * Fix CVE-2010-3362: insecure library loading (Closes: #598294)
+
+ -- John Stamp <jstamp@users.sourceforge.net>  Thu, 30 Sep 2010 14:03:23 -0700
+
 lastfm (1:1.5.4.26862+dfsg-4) unstable; urgency=low
 
   * Bump Standards-Version to 3.9.1.  No changes needed.
diff --git a/debian/package-files/bin/lastfm b/debian/package-files/bin/lastfm
index 34a2487..aef3654 100755
--- a/debian/package-files/bin/lastfm
+++ b/debian/package-files/bin/lastfm
@@ -1,5 +1,5 @@
 #!/bin/sh
 
 RUNDIR="/usr/lib/lastfm"
-export LD_LIBRARY_PATH="${RUNDIR}:${LD_LIBRARY_PATH}"
+export LD_LIBRARY_PATH="${RUNDIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 exec "${RUNDIR}/last.fm" "$@"

Regards,

John Stamp