Also posted as a comment to Bug 81745 as requested. QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/bin/vtk .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/bin/vtkpython .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib:/opt/blackdown-jdk-1.4.2.01/jre/lib/i386 usr/lib/vtk/libvtkHybridJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommon.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIO.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFiltering.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybrid.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImaging.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphics.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybridPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRendering.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/opt/blackdown-jdk-1.4.2.01/jre/lib/i386:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingJava.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkftgl.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybridTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonTCL.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingPythonTkWidgets.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringPython.so .:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingTCL.so ----------------------------------------------------------------- Gentoo Base System version 1.4.16 Portage 2.0.53 (default-linux/x86/2005.0, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-gentoo-r9 i686) ================================================================= System uname: 2.6.9-gentoo-r9 i686 AMD Athlon(tm) Processor distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.3.4 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.8.5-r1 sys-devel/binutils: 2.15.90.0.1.1-r3 sys-devel/libtool: 1.4.3-r4, 1.5.2-r7 virtual/os-headers: 2.4.21-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apm arts audiofile avi berkdb bitmap-fonts bonobo bzip2 cdr crypt cups curl emboss encode esd exif expat f77 fam ffmpeg flac foomaticdb fortran gcl gdbm gif glut gmp gnome gpm gstreamer gtk gtk2 gtkhtml guile idn imagemagick imlib ipv6 java joystick jpeg lcms libg++ libwww mad mhash mikmod ming mng motif mp3 mpeg mysql ncurses nls ogg oggvorbis openal opengl oss pam pcre pdflib perl png ppds python qt quicktime readline scanner sdl slang spell ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts udev vorbis xml xml2 xmms xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
I just rebuild vtk but I cannot reproduce this with USE="java python tcltk threads -doc -examples -mpi -patented". What are your use flags for vtk?
markusle please verify and provide new ebuilds if needed, thx
(In reply to comment #2) > markusle please verify and provide new ebuilds if needed, thx > I'll have a look at it soon! Thanks for reporting. Thanks, Markus
Unfortunately, I can not reproduce this here with identical use flags to yours. Which version of cmake are you currently running? Also, could you please post the cmake cache file CMakeCache.txt (should be located at /var/tmp/portage/vtk-4.2.6/work/VTK). Finally, it looks like your system is somewhat outdated, e.g. python, binutils, ... It might be a good idea to bring it up to the current x86 and then try again. Thanks, Markus
Created attachment 80605 [details] CMake cache file for VTK 4.2.6 cmake version 2.0.3 See attached CMakeCache.txt I will try updating the system this weekend and re-emerge VTK. Craig
Created attachment 80679 [details, diff] patch for vtk-4.2.6.ebuild Thanks for posting your cache file and I can see now where the problem might be. Please try the attached patch for the ebuild and report back. Thanks, Markus
I got VTK to emerge correctly. I tried upgrading binutils and python as recommended, but vtk still had the insecure RUNPATH problem. I then upgraded cmake to the latest stable version and I was able to install successfully. All this took place without the patch. So, it appears that cmake 2.0.6 is necessary to build VTK. Markus, sorry I was not able to try out your patch. -- Craig
(In reply to comment #7) > I got VTK to emerge correctly. Hi Craig, I am glad that upgrading cmake took care of the problem. In any case, I applied the patch to the ebuild since it should prevent similar things from happening in the future. @security.g.o: It looks like the insecure RUNPATH problems have been resolved. Thanks, Markus
The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962
(In reply to comment #9) > The next ~arch portage revision will auto repair evil rpaths and not bail. > Maintainers should still fix the packages they maintain as portage will only > die > with FEATURES=stricter (but that is a maintainer & QA problem) no longer > security@ > > http://bugs.gentoo.org/show_bug.cgi?id=124962 > Hi solar, Thank you very much for the info and for pointing out the relevant bug. best, Markus
Hi security folks, Can this bug be closed? It looks like the issue has been resolved and version 4.2.6. will be removed from the tree in the very near future anyway. Thanks, Markus
No longer a security issue with current stable portage, re-assigning to maintainer. Just close it if it's no longer reproducable with current versions in portage.
(In reply to comment #12) > No longer a security issue with current stable portage, re-assigning to > maintainer. > > Just close it if it's no longer reproducable with current versions in portage. > Thanks Jakub! Current versions are fine to the best of my knowledge, hence I'll close this one. best, Markus