Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271870 - [QA][qting-edge] Insecure rpath on dev-python/PyQt4-4.4.4-r5
Summary: [QA][qting-edge] Insecure rpath on dev-python/PyQt4-4.4.4-r5
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Runpath Issues (show other bugs)
Hardware: All Linux
: High QA (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-30 12:33 UTC by Markos Chandras (RETIRED)
Modified: 2009-06-01 16:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markos Chandras (RETIRED) gentoo-dev 2009-05-30 12:33:18 UTC 
Portage throws a warning about insecure rpaths on PyQt4-4.4.4-r5 located on qting-edge overlay. I keep trying to fix it but i am not quite sure where and what to search for. So i wanted some help about this and solve it before pushing it to portage tree

Thanks


Reproducible: Always

Steps to Reproduce:
1.emerge =dev-python/PyQt4-4.4.4-r5
2.
3.

Actual Results:  
The actuall warning is below:



 * QA Notice: The following files contain insecure RUNPATH's
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 * /var/tmp/portage/dev-python/PyQt4-4.4.4-r5/work/PyQt-x11-gpl-4.4.4/qpy/QtDesigner:/usr/lib64/qt4 usr/lib64/python2.6/site-packages/PyQt4/QtDesigner.so

Auto fixing rpaths for /var/tmp/portage/dev-python/PyQt4-4.4.4-r5/work/PyQt-x11-gpl-4.4.4/qpy/QtDesigner:/usr/lib64/qt4 usr/lib64/python2.6/site-packages/PyQt4/QtDesigner.so

Expected Results:  
no warnings
Comment 1 Davide Pesavento (RETIRED) gentoo-dev 2009-05-30 13:41:54 UTC 
Doesn't this also happen on 4.4.4-r4 (in Portage)?
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2009-05-30 13:52:32 UTC 
Possibly yes. But if this QA failure is easy to fix why not fixing it. The new ebuild has major changes and might be a future stable candidate. So I'd prefer it to be in a sane QA state :)
Comment 3 Davide Pesavento (RETIRED) gentoo-dev 2009-05-30 16:00:36 UTC 
Of course, QA is important and I agree that this bug must be fixed. I just wanted to know if the QA issue has been introduced by my changes to -r5 in overlay, or if it was already there.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2009-05-30 17:05:29 UTC 
Just checked. QA issue exists on 4.4.4-r4 as well so it is not a regression :)
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-05-31 01:38:00 UTC 
Switched to security since it's a rpath issue for a portage package (leaving to them rather than QA).
Comment 6 Davide Pesavento (RETIRED) gentoo-dev 2009-05-31 15:09:58 UTC 
The insecure runpath is added by QtDesigner/Makefile. The -rpath directive points to qpy/QtDesigner, where there's only a static archive that is linked in at build-time, and -L already specifies its location, so the additional rpath seems totally useless. Flameeyes confirmed my thought.

I'm still investigating the root cause: since that makefile is generated by sipconfig, it may be a sip bug.
Comment 7 Davide Pesavento (RETIRED) gentoo-dev 2009-05-31 15:21:02 UTC 
Disregard the part about -L in my previous comment, rpath is only used by the _runtime_ linker.
Comment 8 Davide Pesavento (RETIRED) gentoo-dev 2009-05-31 22:37:19 UTC 
This should be fixed now.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2009-06-01 16:29:04 UTC 
+*PyQt4-4.4.4-r5 (01 Jun 2009)
+
+  01 Jun 2009; Markos Chandras <hwoarang@gentoo.org> +PyQt4-4.4.4-r5.ebuild,
+  files/configure.py.patch, metadata.xml:
+  Fixed automagic dependency issue. ( bug 236341 ). Fixed rpath issues ( bug
+  235819 , bug 271870 ). Thanks to Davide Pesavento <davidepesa@gmail.com>
+  for
+  the ebuilds and the rpath patch.
+

On tree

Thank you all