[ooo-build] security fix for CVE-2009-3736

Rene Engelhard rene at debian.org
Wed Dec 16 15:24:38 PST 2009


Hi,

On Wed, Dec 16, 2009 at 08:55:42PM -0200, Rafael Cabral wrote:
> Do you know if there is some --with-system-libxmlsec available ?  We are  

There isn't. There was one once, but it will not work ever unless
the whole stuff is drastically changed. (Or you patch your xmlsec
with all the intrusive changes OOo did on xmlsec). At least it got
updated to a current upstream in 3.2, but still with an intrusive patch...

If there was one, distros would already be using it, be sure :-)

> dealing with the CVE-2009-3736 [1] that affects libltd and which is  
> bundled in the xmlsec. As far as I didn't find any option to link  
> ooo-build 3.1.1 with a fixed system version I've adapted a patch our  
> secteam has done to fix xmlsec 1.2.10 based on [2].

OOo builds do *not* use --enable-crypto_dl for xmlsec.
So no ltdl usage afaics -> not affected.

> The patch (xmlsec-CVE-2009-3736.diff) appends the fix in the  
> ./libxmlsec/xmlsec1-1.2.6.patch to be properly applied.

Yes, that's the correct way if you want to fix it, but as said it's probably
not needed anyway.

In any case, you should have talked with the OOo security team, I Cc them
for reference...

> diff -p -up ./libxmlsec/xmlsec1-1.2.6.patch.orig_ ./libxmlsec/xmlsec1-1.2.6.patch
> --- ./libxmlsec/xmlsec1-1.2.6.patch.orig_	2009-12-16 15:18:47.000000000 -0500
> +++ ./libxmlsec/xmlsec1-1.2.6.patch	2009-12-16 15:22:24.000000000 -0500
> @@ -15361,3 +15361,183 @@
>   XMLSEC_NSS_ALIBS    	= smime3.lib ssl3.lib nss3.lib libnspr4_s.lib libplds4_s.lib libplc4_s.lib kernel32.lib user32.lib gdi32.lib
>   
>   XMLSEC_MSCRYPTO_SOLIBS  = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib
> +diff -p -up xmlsec1-1.2.10/src/ltdl.c.ltdl xmlsec1-1.2.10/src/ltdl.c
> +--- misc/xmlsec1-1.2.6/src/ltdl.c.ltdl	2003-09-11 19:40:14.000000000 -0400
> ++++ misc/build/xmlsec1-1.2.6/src/ltdl.c	2009-11-26 15:23:46.000000000 -0500
> +@@ -1426,9 +1426,10 @@ lt_dlexit ()
> + }
> + 
> + static int
> +-tryall_dlopen (handle, filename)
> ++tryall_dlopen (handle, filename, useloader)
> +      lt_dlhandle *handle;
> +      const char *filename;
> ++     const char *useloader;
> + {
> +   lt_dlhandle	 cur;
> +   lt_dlloader   *loader;
> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
> + 
> +   while (loader)
> +     {
> ++      if (useloader && strcmp(loader->loader_name, useloader))
> ++	{
> ++	  loader = loader->next;
> ++	  continue;
> ++	}
> +       lt_user_data data = loader->dlloader_data;
> + 
> +       cur->module = loader->module_open (data, filename);
> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
> +   /* try to open the old library first; if it was dlpreopened,
> +      we want the preopened version of it, even if a dlopenable
> +      module is available */
> +-  if (old_name && tryall_dlopen(handle, old_name) == 0)
> ++  if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
> +     {
> +       return 0;
> +     }
> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
> + 	    }
> + 
> + 	  sprintf (filename, "%s/%s", libdir, dlname);
> +-	  error = (tryall_dlopen (handle, filename) != 0);
> ++	  error = (tryall_dlopen (handle, filename, NULL) != 0);
> + 	  LT_DLFREE (filename);
> + 
> + 	  if (!error)
> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
> + 	  strcat(filename, objdir);
> + 	  strcat(filename, dlname);
> + 
> +-	  error = tryall_dlopen (handle, filename) != 0;
> ++	  error = tryall_dlopen (handle, filename, NULL) != 0;
> + 	  LT_DLFREE (filename);
> + 	  if (!error)
> + 	    {
> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
> + 	  }
> + 	strcat(filename, dlname);
> + 
> +-	error = (tryall_dlopen (handle, filename) != 0);
> ++	error = (tryall_dlopen (handle, filename, NULL) != 0);
> + 	LT_DLFREE (filename);
> + 	if (!error)
> + 	  {
> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir, 
> +       strcpy(filename+lendir, basename);
> +       if (handle)
> + 	{
> +-	  if (tryall_dlopen (handle, filename) == 0)
> ++	  if (tryall_dlopen (handle, filename, NULL) == 0)
> + 	    {
> + 	      result = (lt_ptr) handle;
> + 	      goto cleanup;
> +@@ -2032,7 +2038,7 @@ lt_dlopen (filename)
> +       /* lt_dlclose()ing yourself is very bad!  Disallow it.  */
> +       LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
> + 
> +-      if (tryall_dlopen (&newhandle, 0) != 0)
> ++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
> + 	{
> + 	  LT_DLFREE (handle);
> + 	  return 0;
> +@@ -2324,7 +2330,7 @@ lt_dlopen (filename)
> + #ifdef LTDL_SYSSEARCHPATH
> + 		   && !find_file (basename, sys_search_path, 0, &newhandle)
> + #endif
> +-		   )) && tryall_dlopen (&newhandle, filename))
> ++		   )) && tryall_dlopen (&newhandle, filename, NULL))
> + 	{
> + 	  LT_DLFREE (handle);
> + 	  goto cleanup;
> +diff -p -up xmlsec1-1.2.10/src/xmlsec-ltdl.c.ltdl xmlsec1-1.2.10/src/xmlsec-ltdl.c
> +--- misc/xmlsec1-1.2.6/src/xmlsec-ltdl.c.ltdl	2006-06-12 16:15:08.000000000 -0400
> ++++ misc/build/xmlsec1-1.2.6/src/xmlsec-ltdl.c	2009-11-26 15:25:33.000000000 -0500
> +@@ -1426,9 +1426,10 @@ xmlsec_lt_dlexit ()
> + }
> + 
> + static int
> +-tryall_dlopen (handle, filename)
> ++tryall_dlopen (handle, filename, useloader)
> +      xmlsec_lt_dlhandle *handle;
> +      const char *filename;
> ++     const char *useloader;
> + {
> +   xmlsec_lt_dlhandle	 cur;
> +   xmlsec_lt_dlloader   *loader;
> +@@ -1484,6 +1485,11 @@ tryall_dlopen (handle, filename)
> + 
> +   while (loader)
> +     {
> ++      if (useloader && strcmp(loader->loader_name, useloader))
> ++	{
> ++	  loader = loader->next;
> ++	  continue;
> ++	}
> +       xmlsec_lt_user_data data = loader->dlloader_data;
> + 
> +       cur->module = loader->module_open (data, filename);
> +@@ -1526,7 +1532,7 @@ find_module (handle, dir, libdir, dlname
> +   /* try to open the old library first; if it was dlpreopened,
> +      we want the preopened version of it, even if a dlopenable
> +      module is available */
> +-  if (old_name && tryall_dlopen(handle, old_name) == 0)
> ++  if (old_name && tryall_dlopen(handle, old_name, "dlpreload") == 0)
> +     {
> +       return 0;
> +     }
> +@@ -1549,7 +1555,7 @@ find_module (handle, dir, libdir, dlname
> + 	    }
> + 
> + 	  sprintf (filename, "%s/%s", libdir, dlname);
> +-	  error = (tryall_dlopen (handle, filename) != 0);
> ++	  error = (tryall_dlopen (handle, filename, NULL) != 0);
> + 	  LT_DLFREE (filename);
> + 
> + 	  if (!error)
> +@@ -1581,7 +1587,7 @@ find_module (handle, dir, libdir, dlname
> + 	  strcat(filename, objdir);
> + 	  strcat(filename, dlname);
> + 
> +-	  error = tryall_dlopen (handle, filename) != 0;
> ++	  error = tryall_dlopen (handle, filename, NULL) != 0;
> + 	  LT_DLFREE (filename);
> + 	  if (!error)
> + 	    {
> +@@ -1604,7 +1610,7 @@ find_module (handle, dir, libdir, dlname
> + 	  }
> + 	strcat(filename, dlname);
> + 
> +-	error = (tryall_dlopen (handle, filename) != 0);
> ++	error = (tryall_dlopen (handle, filename, NULL) != 0);
> + 	LT_DLFREE (filename);
> + 	if (!error)
> + 	  {
> +@@ -1719,7 +1725,7 @@ find_file (basename, search_path, pdir, 
> +       strcpy(filename+lendir, basename);
> +       if (handle)
> + 	{
> +-	  if (tryall_dlopen (handle, filename) == 0)
> ++	  if (tryall_dlopen (handle, filename, NULL) == 0)
> + 	    {
> + 	      result = (xmlsec_lt_ptr) handle;
> + 	      goto cleanup;
> +@@ -2032,7 +2038,7 @@ xmlsec_lt_dlopen (filename)
> +       /* xmlsec_lt_dlclose()ing yourself is very bad!  Disallow it.  */
> +       LT_DLSET_FLAG (handle, LT_DLRESIDENT_FLAG);
> + 
> +-      if (tryall_dlopen (&newhandle, 0) != 0)
> ++      if (tryall_dlopen (&newhandle, 0, NULL) != 0)
> + 	{
> + 	  LT_DLFREE (handle);
> + 	  return 0;
> +@@ -2324,7 +2330,7 @@ xmlsec_lt_dlopen (filename)
> + #ifdef LTDL_SYSSEARCHPATH
> + 		   && !find_file (basename, sys_search_path, 0, &newhandle)
> + #endif
> +-		   )) && tryall_dlopen (&newhandle, filename))
> ++		   )) && tryall_dlopen (&newhandle, filename, NULL))
> + 	{
> + 	  LT_DLFREE (handle);
> + 	  goto cleanup;

Grüße/Regards,

Rene
-- 
 .''`.  René Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  rene at debian.org | GnuPG-Key ID: D03E3E70
   `-   Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70


More information about the ooo-build mailing list