From: Sebastian Harl <sh@tokkee.org>
Date: Sat, 26 Dec 2009 10:01:29 +0000 (+0100)
Subject: patches: Added bts559801_plugin_find_fix.dpatch.
X-Git-Tag: collectd-4.8.2-1~6
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=7b7bd645623ddf2cf2f91c982b9793e88cf38732;p=pkg-collectd.git

patches: Added bts559801_plugin_find_fix.dpatch.

This makes collectd resistant against copies of libltdl affected by
CVE-2009-3736. This fixes a potential but very unlikely security issue, e.g.
found in the embedded copy. For details about how collectd might be affected,
see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>.

Thanks to Michael Gilbert for reporting this!
Closes: #559801
---

diff --git a/debian/changelog b/debian/changelog
index b2eacff..f60b86e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,13 +44,17 @@ collectd (4.8.2-1) unstable; urgency=low
     - Added bts557599_powerdns_fix.dpatch -- fixed communication to pdns
       versions 2.9.22 and above; thanks to <tm@iprog.com> for reporting this
       and Luke Heberling for providing the patch (Closes: #557599).
+    - Added bts559801_plugin_find_fix.dpatch -- make collectd resistant
+      against copies of libltdl affected by CVE-2009-3736. This fixes a
+      potential but very unlikely security issue, e.g. found in the embedded
+      copy. For details about how collectd might be affected, see
+      <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>; thanks to
+      Michael Gilbert for reporting this (Closes: #559801).
   * debian/rules:
     - Pass --without-included-ltdl to configure to tell libtool 2 to not use
-      the shipped libltdl but rather the one available in the system. This
-      fixes a potential but very unlikely security issue of the embedded copy
-      (see CVE-2009-3736). For details about how collectd might be affected,
-      see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>; thanks
-      to Michael Gilbert for reporting this (Closes: #559801).
+      the shipped libltdl but rather the one available in the system. Thus,
+      in the future, libltdl related issues do no longer require updated
+      collectd packages.
     - Pass --disable-static to configure to tell libtool 2 to not build any
       static libraries.
     - Install debian/collectd.conf as an example into "collectd-core".
@@ -59,7 +63,7 @@ collectd (4.8.2-1) unstable; urgency=low
   * debian/README.Debian:
     - Added a short explanation of the package split.
 
- -- Sebastian Harl <tokkee@debian.org>  Fri, 25 Dec 2009 20:41:02 +0100
+ -- Sebastian Harl <tokkee@debian.org>  Sat, 26 Dec 2009 10:54:18 +0100
 
 collectd (4.8.1-2) unstable; urgency=low
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 25c8ff1..c3fbc66 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -2,4 +2,5 @@ rrd_filter_path.dpatch
 collection_conf_path.dpatch
 bts561577_collectd2html_recursive_fix.dpatch
 bts557599_powerdns_fix.dpatch
+bts559801_plugin_find_fix.dpatch
 
diff --git a/debian/patches/bts559801_plugin_find_fix.dpatch b/debian/patches/bts559801_plugin_find_fix.dpatch
new file mode 100644
index 0000000..bd0856a
--- /dev/null
+++ b/debian/patches/bts559801_plugin_find_fix.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## bts559801_plugin_find_fix.dpatch by Sebastian Harl <sh@tokkee.org>
+##
+## DP: plugin: Use strcasecmp rather than strncasecmp to find a plugin.
+## DP:
+## DP: This makes collectd resistant against vulnerable copies of libltdl
+## DP: (CVE-2009-3736).
+## DP: See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559801#15>
+## DP: for details.
+
+@DPATCH@
+
+diff a/src/plugin.c b/src/plugin.c
+--- a/src/plugin.c
++++ b/src/plugin.c
+@@ -572,7 +572,7 @@ int plugin_load (const char *type)
+ 
+ 	while ((de = readdir (dh)) != NULL)
+ 	{
+-		if (strncasecmp (de->d_name, typename, typename_len))
++		if (strcasecmp (de->d_name, typename))
+ 			continue;
+ 
+ 		status = ssnprintf (filename, sizeof (filename),