On Thu, 16.07.09 16:16, Diego E. ?Flameeyes? Petten? (flameeyes at gmail.com) wrote: > Blatantly copying the Gentoo Advisory (since they are the security team > I have contact with) you can find all the needed information here. BTW, would be great if the security folks themselves would actually contact upstream with this. All they can do is whine that we don't take the security issues serious enough. But uh, it's a bit hard to do that if we are only informed indirectly via the distros. Gah. > The fix (pending merge on master branch) is available on my branch: > > http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio > > http://gitorious.org/~flameeyes/pulseaudio/flameeyes-pulseaudio/commit/84200b423ebfa7e2dad9b1b65f64eac7bf3d2114 I am not conviced that this is the right fix. The documentation on "-z now" is a bit terse. The way I understood it it actually only effects the .so or binary we are linking and not recursively all objects that might be pulled in indirectly. Due to that LD_BIND_NOW has a greater effect than -z now. But uh, I am not sure if my reading is correct. OTOH the whole feature of enforcing immediate binding is a bit snake-oilish. And redundant on prelink-enabled systems. So maybe dropping the entire feature wouldn't be that bad after all... Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4