Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 108148 - app-office/openoffice-bin-1.1.5 uninstallable with hardened
Summary: app-office/openoffice-bin-1.1.5 uninstallable with hardened
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-05 00:24 UTC by sauron
Modified: 2005-10-05 07:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sauron 2005-10-05 00:24:19 UTC 
I am trying to install openoffice on hardened-gentoo from binary. No luck at it.

# emerge app-office/openoffice-bin
Calculating dependencies ...done!
>>> emerge (1 of 1) app-office/openoffice-bin-1.1.5 to /
>>> md5 files   ;-) openoffice-bin-1.1.1.ebuild
>>> md5 files   ;-) openoffice-bin-1.1.4-r1.ebuild
>>> md5 files   ;-) openoffice-bin-1.1.5.ebuild
>>> md5 files   ;-) openoffice-bin-2.0.0_rc1.ebuild
>>> md5 files   ;-) files/digest-openoffice-bin-1.1.1
>>> md5 files   ;-) files/digest-openoffice-bin-1.1.4-r1
>>> md5 files   ;-) files/digest-openoffice-bin-1.1.5
>>> md5 files   ;-) files/digest-openoffice-bin-2.0.0_rc1
>>> md5 files   ;-) files/1.1.1/ooffice-wrapper-1.3
>>> md5 files   ;-) files/1.1.4/ooffice-wrapper-1.3
>>> md5 files   ;-) files/1.1.5/ooffice-wrapper-1.3
>>> md5 files   ;-) files/2.0.0/ooo-wrapper2
>>> md5 src_uri ;-) OOo_1.1.5_LinuxIntel_install.tar.gz
>>> Unpacking source...
>>> Unpacking OOo_1.1.5_LinuxIntel_install.tar.gz to
/var/tmp/portage/openoffice-bin-1.1.5/work
>>> Source unpacked.
>>> Test phase [not enabled]: app-office/openoffice-bin-1.1.5

>>> Install openoffice-bin-1.1.5 into
/var/tmp/portage/openoffice-bin-1.1.5/image/ category app-office
 * Installing OpenOffice.org into build root...
glibc version: 2.3.5

Initializing installation program....................
/var/tmp/portage/openoffice-bin-1.1.5/temp/sv001.tmp/setup.bin: error while
loading shared libraries:
/var/tmp/portage/openoffice-bin-1.1.5/temp/sv001.tmp/libicudata.so.22: cannot
make segment writable for relocation: Permission denied

!!! ERROR: app-office/openoffice-bin-1.1.5 failed.
!!! Function src_install, Line 85, Exitcode 127
!!! Setup failed
!!! If you need support, post the topmost build error, NOT this status message.

# 



Reproducible: Always
Steps to Reproduce:
1. emerge openoffice-bin

Actual Results:  
installation is broken

Expected Results:  
Bush reinvesting the whole military budget in third-world development, Bill to
sell microsoft and invest milliards in the creation of cooperative-type
enterprise in Opensource field. Stoping propaganda and brainwashing, having a
better educational system, more social justice and help. OpenOffice would
install fine.


This is not easily fixable because the guilty library (libicudata.so.22) (well
probably others) are extracted in runtime.
So even if you use 'ebuild' to 'unpack' it first, then run ./setup manually, you
still have to win some race with the installation to be able to stop it when the
setup.bin and the library got extracted... got it ?
The solution would be to simply have a openoffice-bin compiled without textrel,
or at least, to have it compiled with PaX PHDR flags disabled (and a little
warning about that when installing on hardened).

Surprise than nobody reported it before. Look like hardened people don't use
openoffice, bouh.

P.S : OpenOffice is always decompressing the file in the same /tmp/sv001.tmp/
directory.
Now imagine the following scenario. A hackers made his way to your machine. He
is waiting since 3 month that you install the new version of OpenOffice. A
program of him is running 24/24 checking for an emerge process installing
openoffice. Now the program run. Youpi ! He can finally root the machine. How
good. Well, I will just speak about it on #gentoo-security and wait that Eric
Romang publish a great zataz audit security advisory on bugtraq :*. Beware.
Comment 1 sauron 2005-10-05 00:36:57 UTC 
As a workaround I recommend the following :

# ebuild /usr/portage/app-office/openoffice-bin/openoffice-bin-1.1.5.ebuild unpack
# cd /var/tmp/portage/openoffice-bin-1.1.5/work/OOo_1.1.5_LinuxIntel_install
# ./setup

[HERE press Control-Z at 95%, and run chpax -permxs /tmp/sv0001.tmp/setup.bin]

# bg

\o/ \o\ /o/ \o/
Comment 2 Kevin F. Quinn (RETIRED) gentoo-dev 2005-10-05 07:55:22 UTC 
You can build openoffice from source, on a PaX-enabled system (well, you could
at 1.1.4 not sure about 1.1.5, see bug #88588).

Given that the binaries are not built for a PaX-enabled system, there's not a
lot that can be done without repackaging the whole thing.  Note also that if you
use externally-provided binaries (like this one), you don't get ASLR for them as
the binaries are ET_EXEC not ET_DYN (i.e. they're not PIEs).

BTW it should be enough to set the 'm' flag in addition to the default 'x' and
'e'.  You shouldn't need p. s and r.

You'll probably also need to set 'm' on /opt/OpenOffice.org/program/*.bin as well.