trickle: Fixed untrusted search path vulnerability (SECURITY! CVE-2009-0415)

network/trickle/trickle-1.07-CVE-2009-0415.patch

@@ -0,0 +1,37 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../trickle/trickle-1.07-CVE-2009-0415.patch
+# Copyright (C) 2011 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+Description:
+Untrusted search path vulnerability in trickle 1.07 allows local users to
+execute arbitrary code via a Trojan horse trickle-overload.so in the current
+working directory, which is referenced in the LD_PRELOAD path.
+
+Origin: Fedora Project
+http://pkgs.fedoraproject.org/gitweb/?p=trickle.git;a=blob_plain;f=trickle-1.07-CVE-2009-0415.patch;hb=HEAD
+
+CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0415
+
+diff -up trickle-1.07/trickle.c.cve trickle-1.07/trickle.c
+--- trickle-1.07/trickle.c.cve	2004-12-13 01:15:51.000000000 +0100
++++ trickle-1.07/trickle.c	2009-02-12 20:21:46.000000000 +0100
+@@ -49,7 +49,6 @@ main(int argc, char **argv)
+ 	char buf[MAXPATHLEN], sockname[MAXPATHLEN], *path, **pathp;
+ 	struct stat sb;
+ 	char *trypaths[]  = {
+-		LIBNAME,
+ 		LIBDIR "/" LIBNAME,
+ 		NULL
+ 	};