[Pkg-pulseaudio-devel] [SCM] pulseaudio packaging branch, master, updated. debian/0.9.15-3-4-gcabac9c

sjoerd at users.alioth.debian.org sjoerd at users.alioth.debian.org
Sun Jul 26 13:05:38 UTC 2009 

The branch, master has been updated
       via  cabac9c07b2198862cf5db79344f4d454e63934a (commit)
       via  77b1fd9d5b0831bdf50dbbc252eda47c36e26c3c (commit)
      from  e09120731e16b7af862f0d91848ba4e4b5f4661a (commit)


- Shortlog ------------------------------------------------------------
cabac9c Import NMU for 537351
77b1fd9 Imported Debian patch 0.9.15-4.1

Summary of changes:
 debian/changelog                        |   17 ++
 debian/patches/0029-CVE-2009-1894.patch |  303 +++++++++++++++++++++++++++++++
 debian/patches/series                   |    1 +
 3 files changed, 321 insertions(+), 0 deletions(-)
-----------------------------------------------------------------------
Details of changes:

commit cabac9c07b2198862cf5db79344f4d454e63934a
Author: Sjoerd Simons <sjoerd at debian.org>
Date:   Sun Jul 26 15:03:46 2009 +0200

    Import NMU for 537351

diff --git a/debian/changelog b/debian/changelog
index e58936e..50a66ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+pulseaudio (0.9.15-4.2) UNRELEASED; urgency=low
+
+  * Import NMU fix (Closes: #537351)
+
+ -- Sjoerd Simons <sjoerd at debian.org>  Sun, 26 Jul 2009 15:02:57 +0200
+
 pulseaudio (0.9.15-4.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.

commit 77b1fd9d5b0831bdf50dbbc252eda47c36e26c3c
Author: Nico Golde <nion at debian.org>
Date:   Fri Jul 24 18:02:24 2009 +0200

    Imported Debian patch 0.9.15-4.1

diff --git a/debian/changelog b/debian/changelog
index d81c79f..e58936e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+pulseaudio (0.9.15-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix race condition when reading /proc/self/exe and reloading the binary
+    that leads to arbitrary code execution as pulseaudio is suid root
+    + Use LDFLAGS to preload DSOs
+    + regenerate autofoo
+    (CVE-2009-1894; Closes: #537351).
+
+ -- Nico Golde <nion at debian.org>  Fri, 24 Jul 2009 18:02:24 +0200
+
 pulseaudio (0.9.15-4) unstable; urgency=low
 
   * Synchronize our patches with Mandriva and Fedora (thanks to Colin Guthrie
diff --git a/debian/patches/0029-CVE-2009-1894.patch b/debian/patches/0029-CVE-2009-1894.patch
new file mode 100644
index 0000000..ec9e757
--- /dev/null
+++ b/debian/patches/0029-CVE-2009-1894.patch
@@ -0,0 +1,303 @@
+diff -Nurad pulseaudio-0.9.15.orig/configure pulseaudio-0.9.15/configure
+--- pulseaudio-0.9.15.orig/configure	2009-07-24 15:56:20.000000000 +0200
++++ pulseaudio-0.9.15/configure	2009-07-24 15:58:41.000000000 +0200
+@@ -991,6 +991,7 @@
+ AS
+ BUILD_TESTS_DEFAULT_FALSE
+ BUILD_TESTS_DEFAULT_TRUE
++IMMEDIATE_LDFLAGS
+ VERSIONING_LDFLAGS
+ M4
+ EGREP
+@@ -5624,6 +5625,62 @@
+ 
+ 
+ 
++
++  { $as_echo "$as_me:$LINENO: checking if $CC supports -Wl,-z,now flag" >&5
++$as_echo_n "checking if $CC supports -Wl,-z,now flag... " >&6; }
++if test "${cc_cv_ldflags__Wl__z_now+set}" = set; then
++  $as_echo_n "(cached) " >&6
++else
++  ac_save_LDFLAGS="$LDFLAGS"
++     LDFLAGS="$LDFLAGS -Wl,-z,now"
++     cat >conftest.$ac_ext <<_ACEOF
++int main() { return 1; }
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (ac_try="$ac_link"
++case "(($ac_try" in
++  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
++  *) ac_try_echo=$ac_try;;
++esac
++eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
++$as_echo "$ac_try_echo") >&5
++  (eval "$ac_link") 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } && {
++	 test -z "$ac_c_werror_flag" ||
++	 test ! -s conftest.err
++       } && test -s conftest$ac_exeext && {
++	 test "$cross_compiling" = yes ||
++	 $as_test_x conftest$ac_exeext
++       }; then
++  eval "cc_cv_ldflags__Wl__z_now='yes'"
++else
++  $as_echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++	eval "cc_cv_ldflags__Wl__z_now='no'"
++fi
++
++rm -rf conftest.dSYM
++rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
++      conftest$ac_exeext conftest.$ac_ext
++     LDFLAGS="$ac_save_LDFLAGS"
++
++fi
++{ $as_echo "$as_me:$LINENO: result: $cc_cv_ldflags__Wl__z_now" >&5
++$as_echo "$cc_cv_ldflags__Wl__z_now" >&6; }
++
++  if eval test x$cc_cv_ldflags__Wl__z_now = xyes; then
++  IMMEDIATE_LDFLAGS="-Wl,-z,now"
++fi
++
++
++
++
+ # Check whether --enable-default-build-tests was given.
+ if test "${enable_default_build_tests+set}" = set; then
+   enableval=$enable_default_build_tests;
+@@ -6507,13 +6564,13 @@
+ else
+   lt_cv_nm_interface="BSD nm"
+   echo "int some_variable = 0;" > conftest.$ac_ext
+-  (eval echo "\"\$as_me:6510: $ac_compile\"" >&5)
++  (eval echo "\"\$as_me:6567: $ac_compile\"" >&5)
+   (eval "$ac_compile" 2>conftest.err)
+   cat conftest.err >&5
+-  (eval echo "\"\$as_me:6513: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
++  (eval echo "\"\$as_me:6570: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
+   cat conftest.err >&5
+-  (eval echo "\"\$as_me:6516: output\"" >&5)
++  (eval echo "\"\$as_me:6573: output\"" >&5)
+   cat conftest.out >&5
+   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
+     lt_cv_nm_interface="MS dumpbin"
+@@ -7715,7 +7772,7 @@
+   ;;
+ *-*-irix6*)
+   # Find out which ABI we are using.
+-  echo '#line 7718 "configure"' > conftest.$ac_ext
++  echo '#line 7775 "configure"' > conftest.$ac_ext
+   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+   (eval $ac_compile) 2>&5
+   ac_status=$?
+@@ -9380,11 +9437,11 @@
+    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:9383: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:9440: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:9387: \$? = $ac_status" >&5
++   echo "$as_me:9444: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+      # So say no if there are warnings other than the usual output.
+@@ -9719,11 +9776,11 @@
+    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:9722: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:9779: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>conftest.err)
+    ac_status=$?
+    cat conftest.err >&5
+-   echo "$as_me:9726: \$? = $ac_status" >&5
++   echo "$as_me:9783: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s "$ac_outfile"; then
+      # The compiler can only warn and ignore the option if not recognized
+      # So say no if there are warnings other than the usual output.
+@@ -9824,11 +9881,11 @@
+    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:9827: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:9884: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:9831: \$? = $ac_status" >&5
++   echo "$as_me:9888: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -9879,11 +9936,11 @@
+    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+    -e 's:$: $lt_compiler_flag:'`
+-   (eval echo "\"\$as_me:9882: $lt_compile\"" >&5)
++   (eval echo "\"\$as_me:9939: $lt_compile\"" >&5)
+    (eval "$lt_compile" 2>out/conftest.err)
+    ac_status=$?
+    cat out/conftest.err >&5
+-   echo "$as_me:9886: \$? = $ac_status" >&5
++   echo "$as_me:9943: \$? = $ac_status" >&5
+    if (exit $ac_status) && test -s out/conftest2.$ac_objext
+    then
+      # The compiler can only warn and ignore the option if not recognized
+@@ -12682,7 +12739,7 @@
+   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+   lt_status=$lt_dlunknown
+   cat > conftest.$ac_ext <<_LT_EOF
+-#line 12685 "configure"
++#line 12742 "configure"
+ #include "confdefs.h"
+ 
+ #if HAVE_DLFCN_H
+@@ -12778,7 +12835,7 @@
+   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+   lt_status=$lt_dlunknown
+   cat > conftest.$ac_ext <<_LT_EOF
+-#line 12781 "configure"
++#line 12838 "configure"
+ #include "confdefs.h"
+ 
+ #if HAVE_DLFCN_H
+diff -Nurad pulseaudio-0.9.15.orig/configure.ac pulseaudio-0.9.15/configure.ac
+--- pulseaudio-0.9.15.orig/configure.ac	2009-07-24 15:56:21.000000000 +0200
++++ pulseaudio-0.9.15/configure.ac	2009-07-24 15:56:55.000000000 +0200
+@@ -114,6 +114,12 @@
+     [VERSIONING_LDFLAGS='-Wl,-version-script=$(srcdir)/map-file'])
+ AC_SUBST([VERSIONING_LDFLAGS])
+ 
++dnl Use immediate (now) bindings; avoids the funky re-call in itself
++dnl  the -z now syntax is lifted from Sun's linker and works with GNU's too
++dnl  other linkes might be added later
++CC_CHECK_LDFLAGS([-Wl,-z,now], [IMMEDIATE_LDFLAGS="-Wl,-z,now"])
++AC_SUBST([IMMEDIATE_LDFLAGS])
++
+ dnl Check whether to build tests by default (as compile-test) or not
+ AC_ARG_ENABLE([default-build-tests],
+     AS_HELP_STRING([--disable-default-build-tests], [Build test programs only during make check]))
+diff -Nurad pulseaudio-0.9.15.orig/doxygen/Makefile.in pulseaudio-0.9.15/doxygen/Makefile.in
+--- pulseaudio-0.9.15.orig/doxygen/Makefile.in	2009-07-24 15:56:21.000000000 +0200
++++ pulseaudio-0.9.15/doxygen/Makefile.in	2009-07-24 16:00:06.000000000 +0200
+@@ -142,6 +142,7 @@
+ HAVE_SOLARIS = @HAVE_SOLARIS@
+ HAVE_UDEV = @HAVE_UDEV@
+ HAVE_X11 = @HAVE_X11@
++IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+diff -Nurad pulseaudio-0.9.15.orig/Makefile.in pulseaudio-0.9.15/Makefile.in
+--- pulseaudio-0.9.15.orig/Makefile.in	2009-07-24 15:56:21.000000000 +0200
++++ pulseaudio-0.9.15/Makefile.in	2009-07-24 16:00:09.000000000 +0200
+@@ -63,8 +63,8 @@
+ 	$(srcdir)/libpulse-simple.pc.in $(srcdir)/libpulse.pc.in \
+ 	$(srcdir)/shave-libtool.in $(srcdir)/shave.in \
+ 	$(top_srcdir)/configure $(top_srcdir)/src/pulse/version.h.in \
+-	ABOUT-NLS compile config.guess config.rpath config.sub depcomp \
+-	install-sh ltmain.sh missing
++	ABOUT-NLS ChangeLog compile config.guess config.rpath \
++	config.sub depcomp install-sh ltmain.sh missing
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+ am__aclocal_m4_deps = $(top_srcdir)/m4/acx_libwrap.m4 \
+ 	$(top_srcdir)/m4/acx_lirc.m4 $(top_srcdir)/m4/acx_pthread.m4 \
+@@ -191,6 +191,7 @@
+ HAVE_SOLARIS = @HAVE_SOLARIS@
+ HAVE_UDEV = @HAVE_UDEV@
+ HAVE_X11 = @HAVE_X11@
++IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+diff -Nurad pulseaudio-0.9.15.orig/man/Makefile.in pulseaudio-0.9.15/man/Makefile.in
+--- pulseaudio-0.9.15.orig/man/Makefile.in	2009-07-24 15:56:20.000000000 +0200
++++ pulseaudio-0.9.15/man/Makefile.in	2009-07-24 16:00:06.000000000 +0200
+@@ -152,6 +152,7 @@
+ HAVE_SOLARIS = @HAVE_SOLARIS@
+ HAVE_UDEV = @HAVE_UDEV@
+ HAVE_X11 = @HAVE_X11@
++IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+diff -Nurad pulseaudio-0.9.15.orig/src/daemon/main.c pulseaudio-0.9.15/src/daemon/main.c
+--- pulseaudio-0.9.15.orig/src/daemon/main.c	2009-07-24 15:56:21.000000000 +0200
++++ pulseaudio-0.9.15/src/daemon/main.c	2009-07-24 15:58:28.000000000 +0200
+@@ -399,28 +399,6 @@
+     pa_log_set_level(PA_LOG_NOTICE);
+     pa_log_set_flags(PA_LOG_COLORS|PA_LOG_PRINT_FILE|PA_LOG_PRINT_LEVEL, PA_LOG_RESET);
+ 
+-#if defined(__linux__) && defined(__OPTIMIZE__)
+-    /*
+-       Disable lazy relocations to make usage of external libraries
+-       more deterministic for our RT threads. We abuse __OPTIMIZE__ as
+-       a check whether we are a debug build or not.
+-    */
+-
+-    if (!getenv("LD_BIND_NOW")) {
+-        char *rp;
+-
+-        /* We have to execute ourselves, because the libc caches the
+-         * value of $LD_BIND_NOW on initialization. */
+-
+-        pa_set_env("LD_BIND_NOW", "1");
+-
+-        if ((rp = pa_readlink("/proc/self/exe")))
+-            pa_assert_se(execv(rp, argv) == 0);
+-        else
+-            pa_log_warn("Couldn't read /proc/self/exe, cannot self execute. Running in a chroot()?");
+-    }
+-#endif
+-
+ #ifdef HAVE_GETUID
+     real_root = getuid() == 0;
+     suid_root = !real_root && geteuid() == 0;
+diff -Nurad pulseaudio-0.9.15.orig/src/Makefile.am pulseaudio-0.9.15/src/Makefile.am
+--- pulseaudio-0.9.15.orig/src/Makefile.am	2009-07-24 15:56:20.000000000 +0200
++++ pulseaudio-0.9.15/src/Makefile.am	2009-07-24 15:57:53.000000000 +0200
+@@ -153,9 +153,9 @@
+ endif
+ 
+ if FORCE_PREOPEN
+-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
++pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
+ else
+-pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
++pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
+ endif
+ 
+ if HAVE_POLKIT
+diff -Nurad pulseaudio-0.9.15.orig/src/Makefile.in pulseaudio-0.9.15/src/Makefile.in
+--- pulseaudio-0.9.15.orig/src/Makefile.in	2009-07-24 15:56:21.000000000 +0200
++++ pulseaudio-0.9.15/src/Makefile.in	2009-07-24 16:00:09.000000000 +0200
+@@ -2152,6 +2152,7 @@
+ HAVE_SOLARIS = @HAVE_SOLARIS@
+ HAVE_UDEV = @HAVE_UDEV@
+ HAVE_X11 = @HAVE_X11@
++IMMEDIATE_LDFLAGS = @IMMEDIATE_LDFLAGS@
+ INSTALL = @INSTALL@
+ INSTALL_DATA = @INSTALL_DATA@
+ INSTALL_PROGRAM = @INSTALL_PROGRAM@
+@@ -2403,8 +2404,8 @@
+ pulseaudio_DEPENDENCIES = libpulsecore- at PA_MAJORMINORMICRO@.la libpulsecommon- at PA_MAJORMINORMICRO@.la libpulse.la $(PREOPEN_LIBS)
+ @PREOPEN_MODS_FALSE at PREOPEN_LIBS = $(modlibexec_LTLIBRARIES)
+ @PREOPEN_MODS_TRUE at PREOPEN_LIBS = $(PREOPEN_MODS)
+- at FORCE_PREOPEN_FALSE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
+- at FORCE_PREOPEN_TRUE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
++ at FORCE_PREOPEN_FALSE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlopen force $(foreach f,$(PREOPEN_LIBS),-dlopen $(f))
++ at FORCE_PREOPEN_TRUE@pulseaudio_LDFLAGS = $(AM_LDFLAGS) $(BINLDFLAGS) $(IMMEDIATE_LDFLAGS) -dlpreopen force $(foreach f,$(PREOPEN_LIBS),-dlpreopen $(f))
+ @HAVE_POLKIT_TRUE at policy_in_files = daemon/org.pulseaudio.policy.in
+ @HAVE_POLKIT_TRUE at policy_DATA = $(policy_in_files:.policy.in=.policy)
+ bin_SCRIPTS = esdcompat start-pulseaudio-x11 $(am__append_32)
diff --git a/debian/patches/series b/debian/patches/series
index 0e0d2b5..3ed0723 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@
 0026-sample-fix-build-on-BE-archs.patch
 0027-alsa-properly-convert-return-values-of-snd_strerror-.patch
 0028-alsa-remove-debug-code.patch
+0029-CVE-2009-1894.patch
diff --git a/debian/pulseaudio.init b/debian/pulseaudio.init
old mode 100755
new mode 100644

-- 
pulseaudio packaging

More information about the Pkg-pulseaudio-devel mailing list