Bug 116795 - dev-lang/pike: insecure runpath
Bug#: 116795 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: axxo@gentoo.org
Component: Runpath Issues
URL: 
Summary: dev-lang/pike: insecure runpath
Keywords:  
Status Whiteboard: B3 [stable?] DerCorny
Opened: 2005-12-26 10:52 0000
Description:   Opened: 2005-12-26 10:52 0000 
QA Notice: the following files contain insecure RUNPATH's
Please file a bug about this at http://bugs.gentoo.org/
For more information on this issue, kindly review:
http://bugs.gentoo.org/81745
/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.14-gentoo-r5-i686/bundles/lib:/usr/local/lib:/usr/X11R6/lib
usr/bin/pike

QA Notice: the following files contain executable stacks
Files with executable stacks will not work properly (or at all!)
on some architectures/operating systems.  A bug should be filed
at http://bugs.gentoo.org/ to make sure the file is fixed.
RWX --- --- usr/lib/pike/modules/Image.so

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-12-26 11:32:27 0000 ------- 
... oh yeah, how i love it. dev-lang/pike  Herd: no-herd Maintainer: no-herd
and the guy in the changelog is no longer a dev. i hope that kloeri might take
a look, though

------- Comment #2 From Uwe Sinha 2006-01-04 03:02:57 0000 ------- 
This problem also occurred with the (unstable) pike-7.6.50 ebuild.

------- Comment #3 From Jakub Moc (RETIRED) 2006-01-08 01:23:49 0000 ------- 
*** Bug 118258 has been marked as a duplicate of this bug. ***

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-01-12 05:33:22 0000 ------- 
*** Bug 118770 has been marked as a duplicate of this bug. ***

------- Comment #5 From Tupone Alfredo 2006-01-13 15:26:23 0000 ------- 
Created an attachment (id=77034) [details]
pike-7.6.24.ebuild runpath fix

This is a fix to runpath. I disable the bundles at configure time (actually
dunno what they are, I guess plugins). The directory where bundles should be is
not there, in the broken build, and rpath pointed to a wrong place
(/var/tmp/portage/...)

So removing bundles should not degrade.

Now emerge cleanly

------- Comment #6 From Thierry Carrez (RETIRED) 2006-01-15 09:29:10 0000 ------- 
Thx for the analysis, now we just need to find some herd/dev in Gentoo that
accepts to take that package :)

------- Comment #7 From Kim Nilsson 2006-01-15 20:04:14 0000 ------- 
I found someone in the forum that did a manual install of Pike when the ebuild
crashes. Just a simple "make install" in the
/var/tmp/portage/pike-7.6.50/work/Pike-v7.6.50 dir.

Now, I know that's breaking the rules, but for testing the mkdvd script I had I
did so. It installed fine and works just great.

I hope someone can fix the ebuild so it can be installed properly through
portage.

------- Comment #8 From Jakub Moc (RETIRED) 2006-02-25 00:21:13 0000 ------- 
*** Bug 124015 has been marked as a duplicate of this bug. ***

------- Comment #9 From solar 2006-03-05 08:02:51 0000 ------- 
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only
die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer
security@

http://bugs.gentoo.org/show_bug.cgi?id=124962

------- Comment #10 From Luis F. Araujo 2006-07-07 17:03:16 0000 ------- 
I just fixed this problem in the two latest versions.

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-07-07 23:19:05 0000 ------- 
We still need the fixed versions to be marked stable.

Arches please test.

------- Comment #12 From Sune Kloppenborg Jeppesen 2006-07-07 23:35:04 0000 ------- 
Unccing arches until we get bug #136065 sorted out.

------- Comment #13 From Luis F. Araujo 2006-07-11 06:10:10 0000 ------- 
I am closing this bug, since the original issue of the report is pretty much
solved now. We can move the arch testing reports to bug #136065.