Bug 105054 - dev-util/subversion-1.2.3-r1 contains insecure RUNPATH's
Summary: dev-util/subversion-1.2.3-r1 contains insecure RUNPATH's
Product: Gentoo Security
Component: Vulnerabilities
Hardware: All Linux
Assignee: Gentoo Security
114253 117149 117267 117926 119497 120384 124742 129316 148827
Blocks: 81745 111947
Reported: 2005-09-06 12:46 UTC by Paul Varner (RETIRED)
Modified: 2006-09-23 12:31 UTC (History)
20 users (show)

perl-5.8.7-MakeMaker-RUNPATH.patch
2005-09-10 05:18 UTC, Martin Schlemmer (RETIRED)
perl-5.8.7-MakeMaker-RUNPATH.patch
2005-09-10 06:11 UTC, Martin Schlemmer (RETIRED)
perl-5.8.7-MakeMaker-RUNPATH-gentoo.patch
2005-09-10 06:14 UTC, Martin Schlemmer (RETIRED)
perl-5.8.7-MakeMaker-RUNPATH-gentoo.patch
2005-09-10 06:29 UTC, Martin Schlemmer (RETIRED)
subversion emerge log
2005-11-05 13:31 UTC, Jason Wever (RETIRED)
Description Paul Varner (RETIRED) gentoo-dev 2005-09-06 12:46:11 UTC
When emerging subversion, I get the following output:

QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths
QA Notice: appears to contain PORTAGE_TMPDIR paths

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:

!!! ERROR: dev-util/subversion-1.2.3-r1 failed.
!!! Function dyn_install, Line 447, Exitcode 0
!!! Insecure binaries detected
!!! If you need support, post the topmost build error, NOT this status message.

Reproducible: Always
Steps to Reproduce:
1. emerge -v1 subversion

Actual Results:  
Produced above error message

Expected Results:  
emerged without error

emerge -pv subversion

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild    U ] dev-util/subversion-1.2.3-r1 [1.2.1] -apache2 +bash-completion
+berkdb -emacs +java +nls -nowebdav +perl +python +zlib

emerge info
Portage 1.589-cvs (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r1,
2.6.12-gentoo-r6 i686)
System uname: 2.6.12-gentoo-r6 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz
Gentoo Base System version 1.12.0_pre8
Python:              dev-lang/python-2.3.5,dev-lang/python-2.4.1-r1 [2.4.1 (#1,
Jun 17 2005, 01:55:04)]
distcc: No such file or directory [disabled]
dev-lang/python:     2.3.5, 2.4.1-r1
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.9.6, 1.5, 1.8.5-r3, 1.7.9-r1, 1.6.3, 1.4_p6
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=pentium4 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env
/usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4 -O2 -pipe"
FEATURES="autoaddcvs autoconfig ccache cvs distlocks fixpackages sandbox sfperms
USE="x86 X acpi alsa apache2 arts artswrappersuid audiofile avi bash-completion
berkdb bitmap-fonts browserplugin cdr crypt cups curl dvd eds emboss encode fam
fbcon flac foomaticdb fortran gdbm gif gpm gstreamer gtk gtk2 imagemagick imlib
java javascript jpeg kde kdeenablefinal kdexdeltas libg++ libwww mad maildir
mikmod mmx motif mp3 mpeg ncurses nls nptl ogg oggvorbis opengl pam pdflib perl
png ppds python qt quicktime readline samba sasl sdl spell sqlite sse ssl tcltk
tcpd tiff truetype truetype-fonts type1-fonts usb vorbis win32codecs xine xml2
xmms xscreensaver xv zlib linguas_en userland_GNU kernel_linux elibc_glibc"

Config files: /etc/make.conf, /etc/portage/mirrors, /etc/portage/package.mask,
/etc/portage/package.unmask, /etc/portage/package.keywords,
/etc/portage/profile/packages, /etc/portage/profile/virtuals
Comment 1 Paul de Vrieze (RETIRED) gentoo-dev 2005-09-07 02:13:47 UTC
Ok, is there someone on the security list with perl knowledge? The problem seems
to exist in the perl bindings, and my knowledge of perl is almost nonexistent.
I'd like to consider solving the problem in another way than disabling the perl

Sometimes I'd like to shoot down libtool.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-07 02:40:37 UTC
Paul: will a similar trick used in bug 103776, comment 4 work?
Comment 3 Paul de Vrieze (RETIRED) gentoo-dev 2005-09-07 03:47:39 UTC
I'll look at it, and check whether it works.
Comment 4 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 04:40:04 UTC
Not libtool's fault for the perl bindings .. that is MakeMaker being stupid. 
For the libsvn_*.la stuff, that is Spanky's fault .. I'll be fixing that :/
Comment 5 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 05:18:29 UTC
Created attachment 68102 [details, diff]

Ok, this patch against perl for MakeMaker fixes the issue for the bindings ... 
Thanks to tigger^ and truedfx for helping with the perl.

--- perl-5.8.7/lib/ExtUtils/	2005-09-10 14:06:59.000000000 +0200
+++	2005-09-10 14:07:05.000000000
@@ -1914,7 +1914,10 @@
	if ($libs[0] or $libs[1] or $libs[2]){
	    # LD_RUN_PATH now computed by ExtUtils::Liblist
	    ($self->{EXTRALIBS},  $self->{BSLOADLIBS},
-	      $self->{LDLOADLIBS}, $self->{LD_RUN_PATH}) = @libs;
+	      $self->{LDLOADLIBS}) = @libs;
+	    # We do not want the build root in RPATH
+	    my @new_libs = grep m!^/usr!, split /:/, join ':', @libs;
+	    $self->{LD_RUN_PATH} = join(':',@new_libs);
Comment 6 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 06:11:38 UTC
Created attachment 68103 [details, diff]

Ok, I did not grok the perl that well, this should be better.

--- perl-5.8.7/lib/ExtUtils/	2005-09-10 14:06:59.000000000 +0200
+++	2005-09-10 15:10:46.000000000
@@ -1915,6 +1915,9 @@
	    # LD_RUN_PATH now computed by ExtUtils::Liblist
	    ($self->{EXTRALIBS},  $self->{BSLOADLIBS},
	      $self->{LDLOADLIBS}, $self->{LD_RUN_PATH}) = @libs;
+	    # We do not want the build root in RPATH
+	    $self->{LD_RUN_PATH} = join ':', grep m!^/(?:usr|opt)!, split /:/,
+				   $self->{LD_RUN_PATH};
Comment 7 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 06:14:09 UTC
Created attachment 68104 [details, diff]

And this one might be the best, as it rather strips paths containing
PORTAGE_TMPDIR ... not sure if we still want it to strip non ^/(usr|opt) if
PORTAGE_TMPDIR is not set, but I left it like that for now.

--- perl-5.8.7/lib/ExtUtils/	2005-09-10 14:06:59.000000000 +0200
+++	2005-09-10 15:13:01.000000000
@@ -1915,6 +1915,17 @@
	    # LD_RUN_PATH now computed by ExtUtils::Liblist
	    ($self->{EXTRALIBS},  $self->{BSLOADLIBS},
	      $self->{LDLOADLIBS}, $self->{LD_RUN_PATH}) = @libs;
+	    # We do not want the build root in RPATH
+	    if (exists $ENV{PORTAGE_TMPDIR}) {
+	      # If we have PORTAGE_TMPDIR set, strip that, as just testing for
+	      # /usr and /opt might not be sufficient
+	      $self->{LD_RUN_PATH} = join ':', grep /.../ &&
+				     split /:/, $self->{LD_RUN_PATH};
+	    } else {
+	      # Else just use /usr and /opt paths, and hope for the best
+	      $self->{LD_RUN_PATH} = join ':', grep m!^/(?:usr|opt)!, split
+				     $self->{LD_RUN_PATH};
+	    }
Comment 8 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 06:29:57 UTC
Created attachment 68107 [details, diff]

This fixes another slight but non-fatal issue.

--- perl-5.8.7/lib/ExtUtils/	2005-09-10 14:06:59.000000000 +0200
+++	2005-09-10 15:25:52.000000000
@@ -1915,6 +1915,17 @@
	    # LD_RUN_PATH now computed by ExtUtils::Liblist
	    ($self->{EXTRALIBS},  $self->{BSLOADLIBS},
	      $self->{LDLOADLIBS}, $self->{LD_RUN_PATH}) = @libs;
+	    # We do not want the build root in RPATH
+	    if (exists $ENV{PORTAGE_TMPDIR}) {
+	      # If we have PORTAGE_TMPDIR set, strip that, as just testing for
+	      # /usr and /opt might not be sufficient
+	      $self->{LD_RUN_PATH} = join ':', grep !/^\Q$ENV{PORTAGE_TMPDIR}/,

+				     split /:/, $self->{LD_RUN_PATH};
+	    } else {
+	      # Else just use /usr and /opt paths, and hope for the best
+	      $self->{LD_RUN_PATH} = join ':', grep m!^/(?:usr|opt)!, split
+				     $self->{LD_RUN_PATH};
+	    }
Comment 9 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-10 06:41:38 UTC
The .la issue is due to this typo (note that my_little_ninja_foo_3 was not set,
so the elif was never executed):

Index: 1.5.10
RCS file: /var/cvsroot/gentoo-x86/eclass/ELT-patches/portage/1.5.10,v
retrieving revision 1.1
diff -u -r1.1 1.5.10
--- 1.5.10      29 Jun 2005 10:51:11 -0000      1.1
+++ 1.5.10      10 Sep 2005 13:38:02 -0000
@@ -40,10 +40,10 @@
 +                fi
 +                # We do not want portage's build root ($S) present.
 +                my_little_ninja_foo_2=`echo $deplib |$EGREP -e "$S"`
-+                if test -n "$my_little_ninja_foo_2" && test "$S"; then
-+                  mynewdependency_lib=""
 +                # We do not want portage's install root ($D) present.
 +                my_little_ninja_foo_3=`echo $deplib |$EGREP -e "$D"`
++                if test -n "$my_little_ninja_foo_2" && test "$S"; then
++                  mynewdependency_lib=""
 +                elif test -n "$my_little_ninja_foo_3" && test "$D"; then
 +                  eval mynewdependency_lib=`echo "$deplib" |sed -e "s:$D:/:g"
-e 's:/\+:/:g'`
 +                else
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 03:09:30 UTC
Martin: feel free to commit the MakeMaker patch, should fix quite a bunch of
these RPATH things.
Comment 11 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-14 04:25:03 UTC
Roger.  The question is still just if we should leave RUNPATH alone if
PORTAGE_TMPDIR is set?  User might have some strage setup for some custome
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 05:47:29 UTC
I would say no... screw the fucked-up setup.
Comment 13 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-09-17 06:33:36 UTC
*looks in*

einfo "We've decided that you can't have perl module .so's link to libs"
einfo "outside of /opt and /usr by default.  To reverse this:"
einfo "  cd blah; patch -R < blah .."
einfo "Have a nice day !"

Said fucked-up setup will work on all other distros, bar Gentoo .. I don't see
the advantage here.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:50:19 UTC
OK, I may have read this bug a little too fast :)
Stripping PORTAGE_TMPDIR may be sufficient. Tavis, your opinion on this ?
Comment 15 SpanKY gentoo-dev 2005-09-17 13:25:42 UTC
do we really need the else clause in the patch in comment #8 ?  the first part
makes a lot of sense, but the 2nd part assumes too much i think
Comment 16 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-18 05:04:33 UTC
(In reply to comment #15)
> do we really need the else clause in the patch in comment #8 ?  the first part
> makes a lot of sense, but the 2nd part assumes too much i think

The else was the first try, the specific PORTAGE_TMPDIR the second.  Its not
needed, and it will restrict manual installs, just wanted to know what the
security guys thought about how anal it should be.  I'll commit just the fist bit.

PS, cc'd portage guys on this so that they know to either leave PORTAGE_TMPDIR
around, or think about how we will handle this and stuff like the libtool
patches that needs this ... think I heard that the rewrite might have changes in
this department.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-20 00:19:17 UTC
Paul what is the status on this one? 
Comment 18 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-20 02:19:43 UTC
Added perl-5.8.6-r6.ebuild and perl-5.8.7-r1.ebuild, both ~.  Arch teams should
just test and stable which ever one they prefer.
Comment 19 Paul de Vrieze (RETIRED) gentoo-dev 2005-09-20 02:27:26 UTC
Sune: from what I understand this bug is more a problem with perl than with the
subversion ebuild. Allthough I don't have a version of portage that can test
this stuff, I understand that with the new perl ebuilds, subversion should just
work with the original ebuilds.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 07:04:23 UTC
Let's just wait and see if it's fixed with the new Perl thing
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 07:07:07 UTC
Archs, please test and mark perl-5.8.6-r6 stable (or perl-5.8.7-r1 if you prefer).
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-20 07:13:46 UTC
Not sure that this fixes everything for subversion.    
Handling perl stable marking on bug #106678 
Comment 23 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-20 08:38:48 UTC
Well, there was two issues:
1) Blotched libtool patch which is fixed already.  Not sure how the apr stuff
work, but might have to remerge apr as well if it uses the libtool that apr
2) MakeMaker from perl that messed up the RUNPATH's.  This is fixed by the perl
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-20 23:40:50 UTC
Thx Martin. 
Tavis any more issues before we can close this one as fixed?  
Comment 25 Paul Varner (RETIRED) gentoo-dev 2005-09-21 09:27:42 UTC
After emerging the updated perl, I re-emerged subversion and did not encounter
the issue.  So it appears to be fixed from my end.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-09-22 01:49:58 UTC
Not sure how we should GLSA this one...
Comment 27 Paul de Vrieze (RETIRED) gentoo-dev 2005-09-22 01:57:38 UTC
I don't think it is a huge issue as this can only be exploited by users in the
"trusted" portage group, or when the /var/tmp/portage dir is deleted. The latter
is also restricted as long as /var/tmp permissions are set properly. I also
wonder how many other packages are affected by this. I don't think it would only
be subversion that is affected.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-09-23 13:35:26 UTC
Common GLSA with the other RUNPATH issues
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-10-13 07:46:07 UTC
Paul: subversion will need a revbump so that affected users are forced to
rebuild (and the GLSA can specify a "fixed version".

The revbump must have the following Perl dep :
Comment 30 Paul de Vrieze (RETIRED) gentoo-dev 2005-10-14 03:23:14 UTC
I've bumped the ebuild. It should be marked stable for ppc-macos and mips (at
least when they have allready stabilized the new apache layout) The 1.2.3 ebuild
still uses the old layout, but making a separate revision just for these small
archs seems kind of pointless.
Comment 31 Jason Wever (RETIRED) gentoo-dev 2005-10-14 19:54:18 UTC
Even after re-emering perl, I'm still experiencing this issue on a ~sparc
system.  99% of the packages on it are up to date as of today.
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2005-10-15 01:03:13 UTC
Paul: I can't see the 1.2.3-r2 from here, sure you committed it ?
Jason: did you get the exact same issue as fuzzyray ?
Comment 33 Jason Wever (RETIRED) gentoo-dev 2005-10-15 01:34:56 UTC
Yup, same error as original poster.  I also see no new subversion build but I
wasn't sure if the new build was subversion or perl either.
Comment 34 Paul de Vrieze (RETIRED) gentoo-dev 2005-10-15 12:23:46 UTC
Sorry, the ebuild didn't pass repoman (new portage version) on silly space checks
Comment 35 Jason Wever (RETIRED) gentoo-dev 2005-10-15 12:48:13 UTC
No change here.  -r2 still has the same problems as the original poster posted.
Comment 36 Martin Schlemmer (RETIRED) gentoo-dev 2005-10-16 07:59:38 UTC
And you do have dev-lang/perl-5.8.6-r6 or dev-lang/perl-5.8.7-r1 installed?

The 'fix' really just strip $PORTAGE_TMPDIR from -rpath ... so the linking
output of the perl modules, etc might help if you have one of above ...
Comment 37 Jason Wever (RETIRED) gentoo-dev 2005-10-16 15:16:58 UTC
Yup, using perl-5.8.7-r1 and I've even rebuild it to see if that helps but no love.
Comment 38 Martin Schlemmer (RETIRED) gentoo-dev 2005-10-24 06:21:24 UTC
Like I said .. the linking bit of the compile output of the perl modules of
subversion will help.

Also, please merge portage-utils, and do:

  # qfile /usr/lib/perl5/5.8.7/ExtUtils/
Comment 39 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 05:30:02 UTC
Weeve: please provide the requested info so that we can make progress on this one.
Comment 40 Jason Wever (RETIRED) gentoo-dev 2005-11-05 13:31:10 UTC
Created attachment 72240 [details]
subversion emerge log

Sorry for the delay.  The output of qfile is "dev-lang/perl
(/usr/lib/perl5/5.8.7/ExtUtils/".  Also I've attached the log emerge
creates when I attempt to emerge subversion-1.2.3-r3
Comment 41 Martin Schlemmer (RETIRED) gentoo-dev 2005-11-07 01:15:33 UTC
Jason, it is stable or unstable portage (ie, not the CVS 2.1 or such version) ?
 Any chance you can modify perl-5.8.7-MakeMaker-RUNPATH.patch to echo
PORTAGE_TMPDIR and see if its set?  Or some other debugging to see why it do not
strip those from LD_RUN_PATH ?

If not, anybody else know why perl-5.8.7-MakeMaker-RUNPATH.patch might screw up
on  sparc ?

PS: over here linking the perl module looks something like:

Running Mkbootstrap for SVN::_Fs ()
chmod 644
rm -f blib/arch/auto/SVN/_Fs/
LD_RUN_PATH="" x86_64-pc-linux-gnu-gcc  -shared svn_fs.o  -o
-lsvn_client-1 -lsvn_delta-1 -lsvn_fs-1 -lsvn_ra-1 -lsvn_repos-1 -lsvn_wc-1
-lsvn_diff-1 -lsvn_subr-1 -lsvn_swig_perl-1
chmod 755 blib/arch/auto/SVN/_Fs/
cp blib/arch/auto/SVN/_Fs/
chmod 644 blib/arch/auto/SVN/_Fs/

while by Jason it looks like:

Running Mkbootstrap for SVN::_Fs ()
chmod 644
rm -f blib/arch/auto/SVN/_Fs/
sparc-unknown-linux-gnu-gcc  -shared -L/usr/local/lib svn_fs.o  -o
-lsvn_client-1 -lsvn_delta-1 -lsvn_fs-1 -lsvn_ra-1 -lsvn_repos-1 -lsvn_wc-1
-lsvn_diff-1 -lsvn_subr-1 -lsvn_swig_perl-1   
chmod 755 blib/arch/auto/SVN/_Fs/
cp blib/arch/auto/SVN/_Fs/
chmod 644 blib/arch/auto/SVN/_Fs/

which clearly shows PORTAGE_TMPDIR do not get stripped from LD_RUN_PATH ...
Comment 42 Jason Wever (RETIRED) gentoo-dev 2005-11-07 19:53:41 UTC
I've used the latest ~arch versions of portage when testing this.  So far that
includes at least 2.0.53_rc5 through rc7.  I'll try your suggestion on the echo
and/or other debugging techniques and report back tomorrow night.
Comment 43 Jason Wever (RETIRED) gentoo-dev 2005-11-08 19:41:39 UTC
So, finally figured out the culprit here.  I had both dev-lang/perl and
perl-core/ExtUtils-MakeMaker installed.  They both provided, but in
different locations.  ExtUtils-MakeMaker stores it at
/usr/lib/perl5/vendor_perl/5.8.7/ExtUtils/ while perl stores it at
/usr/lib/perl5/5.8.7/ExtUtils/  Once I unmerged ExtUtils-MakeMaker,
everything emerges fine.

So it seems like perhaps subversion may want to include a blocker for
ExtUtils-MakeMaker on this issue, and probably a seperate security bug should be
opened for ExtUtils-MakeMaker
Comment 44 Martin Schlemmer (RETIRED) gentoo-dev 2005-11-08 20:39:07 UTC
That would do it :D

The patch against perl applies fine, and I can add it .. not sure though if we
should ask mcummings to do it since he is back ?
Comment 45 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-08 22:23:14 UTC
CC'ing mcummings (wb!). 
Comment 46 Michael Cummings (RETIRED) gentoo-dev 2005-11-14 08:46:18 UTC
Patch looks good. I really think at this point that dev-perl/EU::MM should be
dropped. It's original inclusion was to help users get over the hump of the
5.6/5.8 differences, but if anyone is still using 5.6 at this point, they're
pretty much on their own anyway. I vote in favor of the patch, along with the
dropping of EU::MM from the tree (two bird with that stone).
Comment 47 Martin Schlemmer (RETIRED) gentoo-dev 2005-11-14 09:25:09 UTC
Patch is already in perl, so guess you can then just drop EU::MM.
Comment 48 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-15 02:34:01 UTC
Michael do you want to drop dev-perl/EU::MM? 
Comment 49 Thierry Carrez (RETIRED) gentoo-dev 2005-11-15 04:52:34 UTC
About GLSA, we'll wait for a few more runpath things to pile up before releasing
this one.
Comment 50 Thierry Carrez (RETIRED) gentoo-dev 2005-11-16 07:54:09 UTC
Hm, in fact this one doesn't really need a GLSA, since the old Perl update takes
care of it and the rest is due to EU:MM cruft...
Comment 51 Thierry Carrez (RETIRED) gentoo-dev 2005-11-25 00:28:15 UTC
Closing without GLSA (consider it covered by GLSA 200510-14).
Perl team should remove EU:MM (and maybe someone add a blocker on subversion) to
avoid the specific problem Weeve encountered.

Feel free to reopen / reassign the bug, but we're probably done from a security PoV.
Comment 52 Paul de Vrieze (RETIRED) gentoo-dev 2005-12-02 05:46:59 UTC
*** Bug 114253 has been marked as a duplicate of this bug. ***
Comment 53 Jakub Moc (RETIRED) gentoo-dev 2005-12-03 23:14:10 UTC
*** Bug 114415 has been marked as a duplicate of this bug. ***
Comment 54 Moshe Kamensky 2005-12-05 23:20:04 UTC
I don't think that dropping EU::MM is a good solution. Even if you do that, 
it can still be emerged via g-cpan (and for good reasons.)

As far as I understand this (which is not very far), the problem is that a 
Makefile.PL might specify in something like -Lfoo for LIBS, where foo is a 
relative path. In this case ExtUtils::Liblist prefixes the foo with cwd. I 
don't know why it does this, but apparently at least from some point of view 
it's wrong, so this is a general problem/missing feature in ExtUtils::Liblist 
and the right thing would be to fix it upstream
Comment 55 Martin Schlemmer (RETIRED) gentoo-dev 2005-12-06 16:55:55 UTC
Well, EU::MM is still not removed, or patched, and now they went and bumped it,
so I just patched it for now.
Comment 56 SpanKY gentoo-dev 2005-12-29 20:37:09 UTC
*** Bug 117149 has been marked as a duplicate of this bug. ***
Comment 57 Jakub Moc (RETIRED) gentoo-dev 2005-12-31 05:44:26 UTC
*** Bug 117267 has been marked as a duplicate of this bug. ***
Comment 58 SpanKY gentoo-dev 2006-01-05 16:55:11 UTC
*** Bug 117926 has been marked as a duplicate of this bug. ***
Comment 59 Tobias Sager 2006-01-09 09:03:34 UTC
I get this with subversion 1.3.0.
The duplicate indicate I am not the only one. Please reopen.
Comment 60 Troy Telford 2006-01-09 12:33:02 UTC
My fix:  I ran the 'perl-cleaner' script, and it appears to have fixed the problem.
Comment 61 Tobias Sager 2006-01-10 00:00:06 UTC
I tried running the perl-cleaner, didn't work for me. Revdep-rebuild is clean as well.
Comment 62 Tanktalus 2006-01-10 20:35:29 UTC
The current patch does not seem to work if, for example, /var/tmp/portage is really elsewhere.  On my system, /var/tmp doesn't have enough space, so I made it a symlink to /home/var/tmp.  In some places, this is translated, others it isn't, so the rpath has /home/var/tmp/portage, but this change only looks for /var/tmp/portage.  I tried changing the patch, but couldn't figure out the right answer.  Instead, I changed my environment to make /var/tmp a regular directory again by removing the link, and then running "mount --bind /home/var/tmp /var/tmp" and now "pwd -P" shows /var/tmp again, and then this problem goes away.

I'm sure there's more patching required for this.
Comment 63 Tobias Sager 2006-01-11 04:12:50 UTC
Unmerging ExtUtils-MakeMaker-6.20 (which theoretically should contain a patch removing this issue) fixed my problem compiling subversion 1.3.0. See bug 114415.
Comment 64 Carsten Lohrke (RETIRED) gentoo-dev 2006-01-18 16:42:08 UTC
*** Bug 119497 has been marked as a duplicate of this bug. ***
Comment 65 Ralf Holzer 2006-01-18 16:58:33 UTC
I am also still having this problem with subversion 1.3.0 and perl 5.8.7-r1. My /var/tmp/ sits at /data/var/tmp/ (on a dmcrypt encrypted partition) and is softlinked to /var/tmp. This seems to screw things up, because it also causes RUNPATH problems with Perl on other packages such as ImageMagick.
Comment 66 Paul de Vrieze (RETIRED) gentoo-dev 2006-01-19 03:09:43 UTC
Could you try adding the following line to your make.conf:

Good chance it works then. Probably the symlinks get resolved, so the path is wrong, and cleaning up then doesn't work as it uses the unresolved path. Setting the actual location then works.
Comment 67 Ralf Holzer 2006-01-19 18:51:29 UTC
Changing PORTAGE_TMPDIR in /etc/make.conf fixed the problem.

Comment 68 Martin Schlemmer (RETIRED) gentoo-dev 2006-01-20 04:40:52 UTC
Might think having portage resolve it (PORTAGE_TMPDIR) on startup if this starts to get a big issue. I know I have had it with sandbox already, and fixed it.
Comment 69 Paul de Vrieze (RETIRED) gentoo-dev 2006-01-20 05:18:43 UTC
Those sandbox issues got me into suggesting trying this. I've been bitten by it too ;-)
Comment 70 Ben 2006-01-25 05:12:41 UTC
I am still getting same issue with subversion on standard portage tree. So clearly not fixed...please reopen.

making executable: /usr/lib/

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Fs/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Ra/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Wc/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Core/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Delta/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Repos/
/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_client/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_delta/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_fs/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_ra/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_repos/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_wc/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_diff/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/libsvn_subr/.libs:/var/tmp/portage/subversion-1.2.3-r2/work/subversion-1.2.3/subversion/bindings/swig/perl/libsvn_swig_perl/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/SVN/_Client/

!!! ERROR: dev-util/subversion-1.2.3-r2 failed.
!!! Function dyn_install, Line 1057, Exitcode 0
!!! Insecure binaries detected

Noted the following:
gentoo ~ # for i in `locate` ; do  ls -l $i ; done  
-r--r--r--  1 root root 110176 Jan 18 00:13 /usr/lib/perl5/5.8.7/ExtUtils/
-r--r--r--  1 root root 107053 Oct 24  2004 /usr/lib/perl5/vendor_perl/5.8.2/ExtUtils/

gentoo ~ # locate 

gentoo ~ # for i in `locate` ; do  ls -l $i ; done
-r--r--r--  1 root root 110176 Jan 18 00:13 /usr/lib/perl5/5.8.7/ExtUtils/
-r--r--r--  1 root root 107053 Oct 24  2004 /usr/lib/perl5/vendor_perl/5.8.2/ExtUtils/

Different versions. So, now trying:
gentoo ~ # perl-cleaner all ask

I am not much of a guru, but ExtUtils-MakeMaker is part of perl-core, can it be safely unmerged if perl-cleaner doesn't work?
Comment 71 Tobias Sager 2006-01-25 05:17:26 UTC
Remove perl-core/ExtUtils-MakeMaker as perl provides its own MakeMaker. This should fix the problem.
Comment 72 Jakub Moc (RETIRED) gentoo-dev 2006-01-26 01:44:27 UTC
*** Bug 120384 has been marked as a duplicate of this bug. ***
Comment 73 Jakub Moc (RETIRED) gentoo-dev 2006-01-26 01:47:10 UTC
@pauldv: Please, block ExtUtils-MakeMaker in subversion ebuilds if better solution can't be found.
Comment 74 Paul de Vrieze (RETIRED) gentoo-dev 2006-01-27 02:08:47 UTC
Shouldn't makemaker be patched by now? Or are unpatched makemakers still around?
Comment 75 Jakub Moc (RETIRED) gentoo-dev 2006-01-27 03:33:26 UTC
(In reply to comment #74)
> Shouldn't makemaker be patched by now? Or are unpatched makemakers still
> around?

Either people didn't upgrade or the patch doesn't work or they didn't run perl-updater or whatever. Since MM is not needed any more, we should force people to unmerge it. It's not good for anything and is causing just problems. :/ 

Comment 76 Tobias Sager 2006-01-27 04:07:33 UTC
Yes, it should have been patched in stable MakeMaker as well as in stable Perl.
I had the stable versions of both packages and had to remove MakeMaker to get Subversion merging.
However, emerging MakeMaker now does not trigger the bug anymore with subversion.
Don't know what happened, but a blocker would stop the duplicate bugs anyway.
Comment 77 Paul de Vrieze (RETIRED) gentoo-dev 2006-01-27 04:23:38 UTC
Ok, I've just added blockers for MakeMaker in all subversion ebuilds.
Comment 78 Anthony Staines 2006-01-28 17:14:29 UTC
(In reply to comment #76)
> Yes, it should have been patched in stable MakeMaker as well as in stable Perl.
> I had the stable versions of both packages and had to remove MakeMaker to get
> Subversion merging.
> However, emerging MakeMaker now does not trigger the bug anymore with
> subversion.
> Don't know what happened, but a blocker would stop the duplicate bugs anyway.

When emerging subversion 1.2.3.-r2 on a newly updated system with perl 5.8.7 it still breaks with a dyn_install error - "Insecure binaries detected"
Portage 2.0.54 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.12-gent
oo-r6 i686)
System uname: 2.6.12-gentoo-r6 i686 Pentium III (Coppermine)
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share
/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kd
e/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/default
s/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips
/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config
/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv usersandbo                                           x"
GENTOO_MIRRORS="                                   ftp://ftp.mirrorserv                                  "
LINGUAS="en_GB en fr de es ca"
USE="x86 X alsa apache2 apm arts audiofile avi berkdb bitmap-fonts blas bzip2 bz                                           lib cdparanoia crypt cups curl eds emboss encode esd exif expat f77 fam foomatic                                           db fortran gd gdbm gif glut gnome gpm gstreamer gtk gtk2 gtkhtml idn imagemagick                                            imlib ipv6 java jpeg junit kde lcms ldap libg++ libwww lua mad mhash mikmod mmx                                            mng modperl motif mozilla mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss p                                           am pcre pda pdflib perl png ppds python qt quicktime readline samba sdl slang sp                                           ell sse ssl svga tcpd tetex tiff truetype truetype-fonts type1-fonts udev vorbis                                            xml xml2 xmms xv zlib linguas_en_GB linguas_en linguas_fr linguas_de linguas_es                                            linguas_ca userland_GNU kernel_linux elibc_glibc"

I have tried the 
         emerge unmerge ExtUtils-MakeMaker 
         emerge -u subversion 
solution as suggested in bug #114253 

Thanks to Martijn Koster and Paul De Vrieze

This works well. However judging by the number of other packages for which this is an issue (Bugs 115513, 81745, 117434, 11760, 117603, 120366) there is still a problem - perhaps a message about this could be put onto the forums?
Comment 79 Jakub Moc (RETIRED) gentoo-dev 2006-03-02 22:54:57 UTC
*** Bug 124742 has been marked as a duplicate of this bug. ***
Comment 80 Jakub Moc (RETIRED) gentoo-dev 2006-04-09 02:34:57 UTC
*** Bug 129316 has been marked as a duplicate of this bug. ***
Comment 81 Jakub Moc (RETIRED) gentoo-dev 2006-09-23 12:31:01 UTC
*** Bug 148827 has been marked as a duplicate of this bug. ***