[Pkg-pulseaudio-devel] [SCM] pulseaudio packaging branch, patches, updated. upstream/0.9.15-29-gbbfd291
sjoerd at users.alioth.debian.org
sjoerd at users.alioth.debian.org
Sun Jul 26 13:05:47 UTC 2009
The branch, patches has been updated
via bbfd291ef59716b8bc098c1943b609b66f269bdf (commit)
from a15f3868f0b645fa07e1555a5c2812516af86b1e (commit)
- Shortlog ------------------------------------------------------------
bbfd291 Fix CVE-2009-1894 (race allows privilege escalation to root)
Summary of changes:
Makefile.in | 5 ++-
configure | 85 ++++++++++++++++++++++++++++++++++++++++++--------
configure.ac | 6 +++
doxygen/Makefile.in | 1 +
man/Makefile.in | 1 +
src/Makefile.am | 4 +-
src/Makefile.in | 5 ++-
src/daemon/main.c | 22 -------------
8 files changed, 87 insertions(+), 42 deletions(-)
-----------------------------------------------------------------------
Details of changes:
commit bbfd291ef59716b8bc098c1943b609b66f269bdf
Author: Nico Golde <nion at debian.org>
Date: Sun Jul 26 15:04:48 2009 +0200
Fix CVE-2009-1894 (race allows privilege escalation to root)
diff --git a/Makefile.in b/Makefile.in
index faf47ff..6564348 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -63,8 +63,8 @@ DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/libpulse-simple.pc.in $(srcdir)/libpulse.pc.in \
$(srcdir)/shave-libtool.in $(srcdir)/shave.in \
$(top_srcdir)/configure $(top_srcdir)/src/pulse/version.h.in \
- ABOUT-NLS compile config.guess config.rpath config.sub depcomp \
- install-sh ltmain.sh missing
+ ABOUT-NLS ChangeLog compile config.guess config.rpath \
+ config.sub depcomp install-sh ltmain.sh missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/acx_libwrap.m4 \
$(top_srcdir)/m4/acx_lirc.m4 $(top_srcdir)/m4/acx_pthread.m4 \
@@ -191,6 +191,7 @@ HAVE_POLKIT = @HAVE_POLKIT@
HAVE_SOLARIS = @HAVE_SOLARIS@
HAVE_UDEV = @HAVE_UDEV@
HAVE_X11 = @HAVE_X11@
+IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
diff --git a/configure b/configure
index 6b50cae..6f831a4 100755
--- a/configure
+++ b/configure
@@ -991,6 +991,7 @@ DLLTOOL
AS
BUILD_TESTS_DEFAULT_FALSE
BUILD_TESTS_DEFAULT_TRUE
+IMMEDIATE_LDFLAGS
VERSIONING_LDFLAGS
M4
EGREP
@@ -5624,6 +5625,62 @@ fi
+
+ { $as_echo "$as_me:$LINENO: checking if $CC supports -Wl,-z,now flag" >&5
+$as_echo_n "checking if $CC supports -Wl,-z,now flag... " >&6; }
+if test "${cc_cv_ldflags__Wl__z_now+set}" = set; then
+ $as_echo_n "(cached) " >&6
+else
+ ac_save_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -Wl,-z,now"
+ cat >conftest.$ac_ext <<_ACEOF
+int main() { return 1; }
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ $as_test_x conftest$ac_exeext
+ }; then
+ eval "cc_cv_ldflags__Wl__z_now='yes'"
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ eval "cc_cv_ldflags__Wl__z_now='no'"
+fi
+
+rm -rf conftest.dSYM
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$ac_save_LDFLAGS"
+
+fi
+{ $as_echo "$as_me:$LINENO: result: $cc_cv_ldflags__Wl__z_now" >&5
+$as_echo "$cc_cv_ldflags__Wl__z_now" >&6; }
+
+ if eval test x$cc_cv_ldflags__Wl__z_now = xyes; then
+ IMMEDIATE_LDFLAGS="-Wl,-z,now"
+fi
+
+
+
+
# Check whether --enable-default-build-tests was given.
if test "${enable_default_build_tests+set}" = set; then
enableval=$enable_default_build_tests;
@@ -6507,13 +6564,13 @@ if test "${lt_cv_nm_interface+set}" = set; then
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:6510: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:6567: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:6513: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:6570: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:6516: output\"" >&5)
+ (eval echo "\"\$as_me:6573: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
@@ -7715,7 +7772,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 7718 "configure"' > conftest.$ac_ext
+ echo '#line 7775 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -9380,11 +9437,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9383: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9440: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9387: \$? = $ac_status" >&5
+ echo "$as_me:9444: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9719,11 +9776,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9722: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9779: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9726: \$? = $ac_status" >&5
+ echo "$as_me:9783: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9824,11 +9881,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9827: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9884: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9831: \$? = $ac_status" >&5
+ echo "$as_me:9888: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -9879,11 +9936,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9882: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9939: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9886: \$? = $ac_status" >&5
+ echo "$as_me:9943: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -12682,7 +12739,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12685 "configure"
+#line 12742 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12778,7 +12835,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12781 "configure"
+#line 12838 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
diff --git a/configure.ac b/configure.ac
index 25cee57..690c2a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -114,6 +114,12 @@ CC_CHECK_LDFLAGS([${tmp_ldflag}],
[VERSIONING_LDFLAGS='-Wl,-version-script=$(srcdir)/map-file'])
AC_SUBST([VERSIONING_LDFLAGS])
+dnl Use immediate (now) bindings; avoids the funky re-call in itself
+dnl the -z now syntax is lifted from Sun's linker and works with GNU's too
+dnl other linkes might be added later
+CC_CHECK_LDFLAGS([-Wl,-z,now], [IMMEDIATE_LDFLAGS="-Wl,-z,now"])
+AC_SUBST([IMMEDIATE_LDFLAGS])
+
dnl Check whether to build tests by default (as compile-test) or not
AC_ARG_ENABLE([default-build-tests],
AS_HELP_STRING([--disable-default-build-tests], [Build test programs only during make check]))
diff --git a/doxygen/Makefile.in b/doxygen/Makefile.in
index 961381b..0de5913 100644
--- a/doxygen/Makefile.in
+++ b/doxygen/Makefile.in
@@ -142,6 +142,7 @@ HAVE_POLKIT = @HAVE_POLKIT@
HAVE_SOLARIS = @HAVE_SOLARIS@
HAVE_UDEV = @HAVE_UDEV@
HAVE_X11 = @HAVE_X11@
+IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
diff --git a/man/Makefile.in b/man/Makefile.in
index 37fe469..1ed4590 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -152,6 +152,7 @@ HAVE_POLKIT = @HAVE_POLKIT@
HAVE_SOLARIS = @HAVE_SOLARIS@
HAVE_UDEV = @HAVE_UDEV@
HAVE_X11 = @HAVE_X11@
+IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
diff --git a/src/Makefile.am b/src/Makefile.am
index 0d4f53a..413cae1 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -153,9 +153,9 @@ PREOPEN_LIBS = $(modlibexec_LTLIBRARIES)
endif
if FORCE_PREOPEN
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
else
-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
+pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
endif
if HAVE_POLKIT
diff --git a/src/Makefile.in b/src/Makefile.in
index 784814c..a023b53 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -2152,6 +2152,7 @@ HAVE_POLKIT = @HAVE_POLKIT@
HAVE_SOLARIS = @HAVE_SOLARIS@
HAVE_UDEV = @HAVE_UDEV@
HAVE_X11 = @HAVE_X11@
+IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -2403,8 +2404,8 @@ pulseaudio_LDADD = $(AM_LDADD) libpulsecore- at PA_MAJORMINORMICRO@.la \
pulseaudio_DEPENDENCIES = libpulsecore- at PA_MAJORMINORMICRO@.la libpulsecommon- at PA_MAJORMINORMICRO@.la libpulse.la $(PREOPEN_LIBS)
@PREOPEN_MODS_FALSE at PREOPEN_LIBS = $(modlibexec_LTLIBRARIES)
@PREOPEN_MODS_TRUE at PREOPEN_LIBS = $(PREOPEN_MODS)
- at FORCE_PREOPEN_FALSE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
- at FORCE_PREOPEN_TRUE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
+ at FORCE_PREOPEN_FALSE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
+ at FORCE_PREOPEN_TRUE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
@HAVE_POLKIT_TRUE at policy_in_files = daemon/org.pulseaudio.policy.in
@HAVE_POLKIT_TRUE at policy_DATA = $(policy_in_files:.policy.in=.policy)
bin_SCRIPTS = esdcompat start-pulseaudio-x11 $(am__append_32)
diff --git a/src/daemon/main.c b/src/daemon/main.c
index c456e6d..4499ea3 100644
--- a/src/daemon/main.c
+++ b/src/daemon/main.c
@@ -399,28 +399,6 @@ int main(int argc, char *argv[]) {
pa_log_set_level(PA_LOG_NOTICE);
pa_log_set_flags(PA_LOG_COLORS|PA_LOG_PRINT_FILE|PA_LOG_PRINT_LEVEL, PA_LOG_RESET);
-#if defined(__linux__) && defined(__OPTIMIZE__)
- /*
- Disable lazy relocations to make usage of external libraries
- more deterministic for our RT threads. We abuse __OPTIMIZE__ as
- a check whether we are a debug build or not.
- */
-
- if (!getenv("LD_BIND_NOW")) {
- char *rp;
-
- /* We have to execute ourselves, because the libc caches the
- * value of $LD_BIND_NOW on initialization. */
-
- pa_set_env("LD_BIND_NOW", "1");
-
- if ((rp = pa_readlink("/proc/self/exe")))
- pa_assert_se(execv(rp, argv) == 0);
- else
- pa_log_warn("Couldn't read /proc/self/exe, cannot self execute. Running in a chroot()?");
- }
-#endif
-
#ifdef HAVE_GETUID
real_root = getuid() == 0;
suid_root = !real_root && geteuid() == 0;
--
pulseaudio packaging
More information about the Pkg-pulseaudio-devel
mailing list