patches: Added bts559801_plugin_find_fix.dpatch.

This makes collectd resistant against copies of libltdl affected by
CVE-2009-3736. This fixes a potential but very unlikely security issue, e.g.
found in the embedded copy. For details about how collectd might be affected,
see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>.

Thanks to Michael Gilbert for reporting this!
Closes: #559801

diff --git a/debian/changelog b/debian/changelog
index b2eacffc46b7df27a8e63f7c57b13c2b6a06f7e6..f60b86e6b0f4704a001ddcdc094067118ea7a438 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,13 +44,17 @@ collectd (4.8.2-1) unstable; urgency=low
     - Added bts557599_powerdns_fix.dpatch -- fixed communication to pdns
       versions 2.9.22 and above; thanks to <tm@iprog.com> for reporting this
       and Luke Heberling for providing the patch (Closes: #557599).
+    - Added bts559801_plugin_find_fix.dpatch -- make collectd resistant
+      against copies of libltdl affected by CVE-2009-3736. This fixes a
+      potential but very unlikely security issue, e.g. found in the embedded
+      copy. For details about how collectd might be affected, see
+      <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>; thanks to
+      Michael Gilbert for reporting this (Closes: #559801).
   * debian/rules:
     - Pass --without-included-ltdl to configure to tell libtool 2 to not use
-      the shipped libltdl but rather the one available in the system. This
-      fixes a potential but very unlikely security issue of the embedded copy
-      (see CVE-2009-3736). For details about how collectd might be affected,
-      see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>; thanks
-      to Michael Gilbert for reporting this (Closes: #559801).
+      the shipped libltdl but rather the one available in the system. Thus,
+      in the future, libltdl related issues do no longer require updated
+      collectd packages.
     - Pass --disable-static to configure to tell libtool 2 to not build any
       static libraries.
     - Install debian/collectd.conf as an example into "collectd-core".
@@ -59,7 +63,7 @@ collectd (4.8.2-1) unstable; urgency=low
   * debian/README.Debian:
     - Added a short explanation of the package split.
 
- -- Sebastian Harl <tokkee@debian.org>  Fri, 25 Dec 2009 20:41:02 +0100
+ -- Sebastian Harl <tokkee@debian.org>  Sat, 26 Dec 2009 10:54:18 +0100
 
 collectd (4.8.1-2) unstable; urgency=low
 

diff --git a/debian/patches/00list b/debian/patches/00list
index 25c8ff14b660211bc77f7a2e05d6175ee2c32188..c3fbc669cff660a94d434366b72ac79e8afdbc49 100644 (file)
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -2,4 +2,5 @@ rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts561577_collectd2html_recursive_fix.dpatch
 bts557599_powerdns_fix.dpatch
+bts559801_plugin_find_fix.dpatch
 

diff --git a/debian/patches/bts559801_plugin_find_fix.dpatch b/debian/patches/bts559801_plugin_find_fix.dpatch
new file mode 100644 (file)
index 0000000..bd0856a
--- /dev/null
+++ b/debian/patches/bts559801_plugin_find_fix.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts559801_plugin_find_fix.dpatch by Sebastian Harl <sh@tokkee.org>
+##
+## DP: plugin: Use strcasecmp rather than strncasecmp to find a plugin.
+## DP:
+## DP: This makes collectd resistant against vulnerable copies of libltdl
+## DP: (CVE-2009-3736).
+## DP: See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>
+## DP: for details.
+
+@DPATCH@
+
+diff a/src/plugin.c b/src/plugin.c
+--- a/src/plugin.c
++++ b/src/plugin.c
+@@ -572,7 +572,7 @@ int plugin_load (const char *type)
+ 
+       while ((de = readdir (dh)) != NULL)
+       {
+-              if (strncasecmp (de->d_name, typename, typename_len))
++              if (strcasecmp (de->d_name, typename))
+                       continue;
+ 
+               status = ssnprintf (filename, sizeof (filename),