140295 2006-07-13 20:59 0000 dev-db/qdbm-1.8.48(stable)-1.8.53 appears to have insecure RUNPATH issues 2006-12-31 04:15:53 0000 1 1 1 Unclassified Gentoo Security Runpath Issues unspecified All Linux RESOLVED FIXED https://bugs.gentoo.org/show_bug.cgi?id=108534 P2 normal --- 81745 1 dragonheart@gentoo.org security@gentoo.org hattya@gentoo.org nichoj@gentoo.org dragonheart@gentoo.org 2006-07-13 20:59:24 0000 qdbm-1.8.48 (stable) contains RUNPATH issues as a result of LD_RUN_PATH=/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib qdbm-1.8.49 and qdbm-1.8.53 also suffer the same problem. same as bug 108534 but different version From emerge: ln -f -s libqdbm.so.12.9.0 libqdbm.so LD_RUN_PATH=/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib i686-pc-linux-gnu-gcc -Wall -ansi -pedantic -fPIC -fsigned-char -O2 -fomit-frame-pointer -DNDEBUG -o dpmgr dpmgr.o -L. -L/var/tmp/portage/qdbm-1.8.48/homedir/lib -L/usr/local/lib -lqdbm -lbz2 -lz -lpthread -lc QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ with the maintaining herd of the package. Summary: dev-db/qdbm: insecure RPATH /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dpmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dptsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crtsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/rlmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/hvmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/cbcodec /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vlmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vltsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odidx /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dpmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dptsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crtsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/rlmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/hvmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/cbcodec /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vlmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vltsv /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odmgr /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odidx # emerge --info Portage 2.1-r1 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.5-r2, 2.6.14-hardened-r5 i686) ================================================================= System uname: 2.6.14-hardened-r5 i686 Pentium III (Coppermine) Gentoo Base System version 1.6.15 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 dragonheart@gentoo.org 2006-07-13 21:00:30 0000 Created an attachment (id=91671) qdbm-runpath2.diff a fix dragonheart@gentoo.org 2006-09-06 17:46:28 0000 *** Bug 146623 has been marked as a duplicate of this bug. *** hattya@gentoo.org 2006-10-30 03:59:43 0000 arm, s390 and sh need to stabilize 1.8.70-r1 to fix this bug. dragonheart@gentoo.org 2006-12-27 11:26:16 0000 qdbm-1.8.70-r1 all stable as per bug 149578 GLSA vote no as portage has fixed runpath issues before install for ages and its pretty hard to exploit. Time for closure and qdbm-1.8.46 removal (nothing explictly needs this version)? dragonheart@gentoo.org 2006-12-31 04:15:53 0000 Closing - thanks Tavis 91671 2006-07-13 21:00 0000 qdbm-runpath2.diff qdbm-runpath2.diff text/plain LS0tIE1ha2VmaWxlLmluLm9yaWcJMjAwNi0wMy0wOSAxOToxMDo0NS4wMDAwMDAwMDAgKzExMDAK KysrIE1ha2VmaWxlLmluCTIwMDYtMDctMTQgMTM6NDM6MDYuMDAwMDAwMDAwICsxMDAwCkBAIC02 MSw3ICs2MSw3IEBACiBMSUJTID0gLWxxZGJtIEBMSUJTQAogTElCTERGTEFHUyA9IC1MLiAtTCQo SE9NRSkvbGliIC1ML3Vzci9sb2NhbC9saWIgQExJQlNACiBMREZMQUdTID0gLUwuIC1MJChIT01F KS9saWIgLUwvdXNyL2xvY2FsL2xpYiAkKExJQlMpCi1MREVOViA9IExEX1JVTl9QQVRIPS9saWI6 L3Vzci9saWI6JChIT01FKS9saWI6L3Vzci9sb2NhbC9saWI6JChNWUxJQkRJUikKK0xERU5WID0g CiBBUiA9IEBBUkAKIEFSRkxBR1MgPSByY3N2CiBSVU5FTlYgPSBMRF9MSUJSQVJZX1BBVEg9Ljov bGliOi91c3IvbGliOiQoSE9NRSkvbGliOi91c3IvbG9jYWwvbGliCi0tLSBwbHVzL01ha2VmaWxl LmluLm9yaWcJMjAwNS0wOC0xOCAwNjoxODoxMS4wMDAwMDAwMDAgKzEwMDAKKysrIHBsdXMvTWFr ZWZpbGUuaW4JMjAwNi0wNy0xNCAxMzo0MzowNi4wMDAwMDAwMDAgKzEwMDAKQEAgLTQ5LDcgKzQ5 LDcgQEAKIExJQlMgPSAtbHFkYm0gQExJQlNACiBMSUJMREZMQUdTID0gLUwuIC1MJChzcmNkaXIp Ly4uIC1MJChIT01FKS9saWIgLUwvdXNyL2xvY2FsL2xpYiAkKExJQlMpCiBMREZMQUdTID0gLUwu IC1MJChzcmNkaXIpLy4uIC1MJChIT01FKS9saWIgLUwvdXNyL2xvY2FsL2xpYiAtbHhxZGJtICQo TElCUykKLUxERU5WID0gTERfUlVOX1BBVEg9L2xpYjovdXNyL2xpYjokKEhPTUUpL2xpYjovdXNy L2xvY2FsL2xpYjokKE1ZTElCRElSKQorTERFTlYgPSAKIEFSID0gQEFSQAogQVJGTEFHUyA9IHJj c3YKIFJVTkVOViA9IExEX0xJQlJBUllfUEFUSD0uOi4uOi9saWI6L3Vzci9saWI6JChIT01FKS9s aWI6L3Vzci9sb2NhbC9saWIKLS0tIGNnaS9NYWtlZmlsZS5pbi5vcmlnCTIwMDQtMDgtMTggMjE6 MTc6MDIuMDAwMDAwMDAwICsxMDAwCisrKyBjZ2kvTWFrZWZpbGUuaW4JMjAwNi0wNy0xNCAxMzo0 MzowNi4wMDAwMDAwMDAgKzEwMDAKQEAgLTI5LDcgKzI5LDcgQEAKIENGTEFHUyA9IC1XYWxsIC1h bnNpIC1wZWRhbnRpYyAtZnNpZ25lZC1jaGFyICQoUkVMQ0ZMQUdTKQogTElCUyA9IC1scWRibSBA TElCU0AKIExERkxBR1MgPSAtTCQoc3JjZGlyKS8uLiAtTCQoSE9NRSkvbGliIC1ML3Vzci9sb2Nh bC9saWIgJChMSUJTKQotTERFTlYgPSBMRF9SVU5fUEFUSD0vbGliOi91c3IvbGliOiQoSE9NRSkv bGliOi91c3IvbG9jYWwvbGliOiQocHJlZml4KS9saWIKK0xERU5WID0gCiAKICMgSW5zdGFsbCBk ZXN0aW5hdGlvbnMKIHByZWZpeCA9IEBwcmVmaXhACg==