Hi,
The 'lam' package uses the AC_LIBLTDL_CONVENIENCE macro, which forces
the use of the bundled copy. It only supports
--disable-ltdl-convenience which just produces an error ("this package
needs a convenience libltdl"). Note that this is a libtool 1.5
feature, not libtool 2 (where it's deprecated).--without-included-ltdl (AC_WITH_LTDL) doesn't seem to be used: $ grep -r included[_-]ltdl . ./share/libltdl/acinclude.m4:AC_ARG_WITH([included_ltdl], ./share/libltdl/acinclude.m4: [ --with-included-ltdl use the GNU ltdl sources included here]) ./share/libltdl/acinclude.m4:if test "x$with_included_ltdl" != xyes; then ./share/libltdl/acinclude.m4: [with_included_ltdl=no], ./share/libltdl/acinclude.m4: [with_included_ltdl=yes]) ./share/libltdl/acinclude.m4:if test "x$with_included_ltdl" = xno; then ./share/libltdl/acinclude.m4:AC_MSG_RESULT([$with_included_ltdl]) It's only present in the libtldl m4 file, which weren't used in the various ./configure scripts. The included copy is used in the SSI module: $ find -name "*.[ch]" | xargs grep -r 'ltdl\.h' ./share/include/lam-ssi.h:/* Ensure to get the right <ltdl.h> */ ./share/include/lam-ssi.h:#include <lam_ltdl.h> ./share/include/lam_ltdl.h:/* ltdl.h -- generic dlopen functions ./share/libltdl/ltdl.c:#include "ltdl.h" ./share/libltdl/ltdl.c: order as the enumerated indices in ltdl.h. */ ./share/libltdl/ltdl.h:/* ltdl.h -- generic dlopen functions ./share/ssi/base/ssi_module_registry.c:#include <lam_ltdl.h> ./share/ssi/base/ssi_module_find.c:#include <lam_ltdl.h> ./share/ssi/crlam/self/src/ssi_crlam_self.c:#include <lam_ltdl.h> ./share/ssi/crmpi/self/src/ssi_crmpi_self.c:#include <lam_ltdl.h> Note that lam_ltdl.h is a mere copy of ltdl.h. The latest copyright years are 2000 and 2005 for ltdl.h and ltdl.c respectively, so I guess they are vulnerable. To test whether the files are used during the build, one can use: sed -i '1i#error do not use' share/include/lam_ltdl.h share/libltdl/ltdl.c share/libltdl/ltdl.h So at first glance, we could either: - use AC_LIBLTDL_INSTALLABLE instead of AC_LIBLTDL_CONVENIENCE , re-run autoconf , and remove the embedded copy for safety - symlink lam_ltdl.h and ltdl.h to system libtldl development files. -- Sylvain
signature.asc
Description: Digital signature
