Bug#559827: siproxd Re: Bug#559827: CVE-2009-3736 update

Mark Purcell msp at debian.org
Fri Feb 19 22:37:39 UTC 2010


On Sunday 13 December 2009 10:07:00 you wrote:
> It has come to my attention that a lot of maintainers are simply adding
> a build-depends on libltdl3-dev to try to solve this problem.  This is
> not a sufficient solution since your package will still use the
> embedded libtool code copy.  You need to add '--without-included-ltdl'
> to your configure arguments to do this right.

Michael,

Thanks for surfacing this issue, I have forwarded the issue upstream as you may of seen from my earlier email.

One issue is that for '--without-included-ltdl' to work, it needs to be supported in the configure script, which in a lot of cases it isn't :-(

I have been revewing a few packages which rdepend on libltdt7 to see how they have setup configure to address this issue.

Something like:

configure.ac:
dnl
dnl Check for libltdl
dnl
AC_CHECK_LIB([ltdl],[lt_dlinit],,
                [AC_MSG_ERROR([[libltdl not found]])])

Will perform the check, but then things get complicated in terms of changing paths, ensuring that the imbedded copy doesn't get built/ linked against.

Do you have any code snippets from best practise for using the system provided libltdl?

Thanks,
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20100219/d1edee43/attachment.pgp>


More information about the Pkg-voip-maintainers mailing list