Closed GoogleCodeExporter closed 9 years ago
The progress made in the original Gentoo bug report includes a patch to remove
the
bundled libltdl and use the system ltdl. However, some underquoted sections in
the
libfiretalk/firetalk.m4 script resulted in errors during configure. Applying
both of
the following patches will remove references to the bundled libltdl. It is
necessary
to run autoreconf after applying the patches to rebuild the configure script.
However, naim will still not build due to changes in the libltdl API.
Original comment by thewet...@gmail.com
on 16 Apr 2010 at 5:25
Attachments:
lt_dlopen is only called for user-initiated actions (/modload and /dlsym), and
naim
chdirs into the user's home directory during startup (and remains there
throughout
execution). No impact.
Original comment by nml...@gmail.com
on 16 Apr 2010 at 5:34
Further, naim should *not* be running suid...
I suspect that it may be worth it to transition to a system libltdl anyway,
though. Is there a reason we still use a
local libltdl, Dan?
Original comment by joshua.a...@gmail.com
on 16 Apr 2010 at 7:38
libltdl replaced:
lt_dlhandle_next(lt_dlhandle mod)
with:
lt_dlhandle_iterate(lt_dlinterface_id iface, lt_dlhandle mod)
And removed lt_dlforeach.
I moved the module system initialization code from main.c to conio.c to call
lt_dlinit and lt_dlinterface_register. With lt_dlinterface_register, I also
included
a filter that requires modules to have naim_init and naim_exit functions;
otherwise,
a module called 'dlopen' appears in /modlist.
And I replaced the aforementioned removed functions with (hopefully) their
functional
equivalents.
Original comment by thewet...@gmail.com
on 16 Apr 2010 at 7:50
Attachments:
Among other issues, this thread seems to indicate ltdl has broken backwards
compatibility, so we'd have to include build-time conditional logic. I don't
see any
compelling reason for such an invasive change in such a minor component of the
program.
(And the threat wasn't necessarily for people running naim suid--obviously that
could cause all sorts of issues--but if an attacker could get you to run naim
from a
directory they controlled, and naim tried to open a system library by name
instead
of path, ltdl would load the attacker's library instead of the system library.)
Original comment by nml...@gmail.com
on 16 Apr 2010 at 8:07
Because it is a huge pain to maintain naim on a system with a new libtool
without this (in particular, you can't build with the old libtool on OS X
Lion), I'm integrating this as I push forward. Thanks for the patch -- and
tell whoever made that compat break in libtool that they can perish in a
conflagration.
Original comment by joshua.a...@gmail.com
on 25 Jul 2011 at 8:53
This has been integrated into the latest snapshot.
Original comment by joshua.a...@gmail.com
on 10 Sep 2011 at 11:25
Original issue reported on code.google.com by
thewet...@gmail.com
on 16 Apr 2010 at 5:19