Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 119477 - libtecla-1.6.0 insecure RUNPATHs
Summary: libtecla-1.6.0 insecure RUNPATHs
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Runpath Issues (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-18 12:44 UTC by Peter Simons
Modified: 2006-04-02 01:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
remove insecure runpaths from enhance binary (libtecla-correct-rpath.patch,379 bytes, patch)
2006-01-18 19:32 UTC, Markus Dittrich (RETIRED) 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Simons 2006-01-18 12:44:26 UTC 
When emerging libtecla, I get this error during the installation phase:

[...]
gzipping man page: tecla.7
gzipping man page: teclarc.5
prepallstrip:
strip: i686-pc-linux-gnu-strip --strip-unneeded
   usr/lib/libtecla.so.1.6.0
   usr/lib/libtecla_r.so.1.6.0
   usr/bin/enhance
making executable: /usr/lib/libtecla.so.1.6.0
making executable: /usr/lib/libtecla_r.so.1.6.0
scanelf: rpath_security_checks(): Maybe? sec problem with RPATH=':/var/tmp/portage/libtecla-1.6.0/work/libtecla' in /var/tmp/portage/libtecla-1.6.0/image//usr/bin/enhance
scanelf: rpath_security_checks(): Maybe? sec problem with RPATH=':/var/tmp/portage/libtecla-1.6.0/work/libtecla' in /var/tmp/portage/libtecla-1.6.0/image//usr/bin/enhance

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
:/var/tmp/portage/libtecla-1.6.0/work/libtecla usr/bin/enhance
Comment 1 Markus Dittrich (RETIRED) gentoo-dev 2006-01-18 19:32:09 UTC 
Created attachment 77492 [details, diff]
remove insecure runpaths from enhance binary

Hi Peter,

Thanks for your report. Could you please try the attached patch and
report back if it fixes the RUNPATH issues on your setup.

Thanks,
Markus
Comment 2 Peter Simons 2006-01-19 11:29:59 UTC 
Yes, the patch fixes the problem. Thanks a lot for the quick response!

One more thing: There is a new version of libtecla available at <http://www.astro.caltech.edu/~mcs/tecla/libtecla-1.6.1.tar.gz>. Simply renaming the current EBUILD suffices to update the package. Could you do that, or shall I submit a new PR for this purpose?
Comment 3 Markus Dittrich (RETIRED) gentoo-dev 2006-01-19 12:43:34 UTC 
Hi Peter,

Thanks for testing and I am glad the fix works:).
I'll prepare -r1 that will contain this fix and also see that I bump 
the ebuild, hence no need for opening another bug.

Thanks,
Markus
Comment 4 Markus Dittrich (RETIRED) gentoo-dev 2006-01-19 20:06:56 UTC 
I've just committed libtecla-1.6.0-r1 to CVS that includes this patch 
and therefore fixes the insecure runpath issues.

Could we possibly stabilize this version on x86?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-20 09:43:14 UTC 
x86 please test and mark libtecla-1.6.0-r1 stable
Comment 6 Joshua Jackson (RETIRED) gentoo-dev 2006-01-20 15:08:31 UTC 
stable on x86
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-01 16:53:57 UTC 
Hi, 

what about that bug opened for more than 2 months ? was it forgotten ?
Comment 8 Olivier Fisette (RETIRED) gentoo-dev 2006-04-01 17:11:50 UTC 
Thanks for the notice. I just removed the vulnerable version from Portage, so everything should be fine now. I will let the security team close the bug as it is assigned to them.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-01 23:17:47 UTC 
Thx Oliver and Raphael.
Comment 10 Peter Simons 2006-04-02 01:07:55 UTC 
Yes, thank you to everyone who was involved in fixing this problem. I appreciate your help.