ocamlopt -o texvc unix.cmxa util.cmx parser.cmx html.cmx mathml.cmx texutil.cmx render.cmx lexer.cmx texvc.cmx /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/mediawiki-1.6.8/temp/camlstartup7099c3.o: relocation R_X86_64_32S against `caml_curry2_1' can not be used when making a shared object; recompile with -fPIC /var/tmp/portage/mediawiki-1.6.8/temp/camlstartup7099c3.o: could not read symbols: Bad value System is hardened-profile/amd64, with math useflag set (so compiling this ocaml-stuff). Looks to me like a hardened-gcc problem. This is a security-update with a glsa issued. emerge --info: Portage 2.1.1-r1 (hardened/amd64, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17.6-grsec x86_64) ================================================================= System uname: 2.6.17.6-grsec x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.12.5 Last Sync: Tue, 03 Oct 2006 23:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=athlon64 -fstack-protector -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=athlon64 -fstack-protector -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/" LANG="de_DE.utf-8" LC_ALL="de_DE.utf-8" LINGUAS="de en" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="amd64 acl apache2 bash-completion bzip2 crypt elibc_glibc exif gif hardened idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 jpeg kernel-poll kernel_linux leim linguas_de linguas_en mailwrapper mysql ncurses nls nptl nptlonly pam pcre perl png python qdbm readline ruby spell sqlite ssl threads tiff truetype unicode userland_GNU userlocales vhosts xml zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Can you give mediawiki-1.7.1 a try it fixes the same security bug, I don't have an hardened profile running here. The good news here is gentoo's php is not by default vulnerable to this $GLOBAL problem. Quote from the mediawiki web site: " Only versions and configurations of PHP vulnerable to the $GLOBALS overwrite vulnerability are affected. As a workaround for existing installs, profileinfo.php may simply be deleted if it's not being used." I hope this helps you until this hardened problem is sorted out.
Anyone tried 1.7.1 ? Should I close this bug ? I've got no comments about trying 1.7.1.
mediawiki-1.8.2 is now in the tree and includes a check for that $GLOBALS behavior. Can someone verify this on hardened ? This bug is now 2 major release behind. And 1 major release behing our current stable.
This bug has 2 potential security flaw, please check 1.7.2 when available.
I guess the problem is not mediawiki, more likely it's dev-lang/ocaml. While trying to reproduce this I hit the same error, not in mediawiki though, but in ocaml itself: /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/dev-lang/ocaml-3.09.2/temp/camlstartupc9e0b2.o: relocation R_X86_64_32S against `caml_curry2_1' can not be used when making a shared object; recompile with -fPIC /var/tmp/portage/dev-lang/ocaml-3.09.2/temp/camlstartupc9e0b2.o: could not read symbols: Bad value collect2: ld returned 1 exit status Error during linking make: *** [ocamlc.opt] Error 2 Portage 2.1.2.2 (hardened/amd64, gcc-3.4.6, glibc-2.3.6-r5, 2.6.20-beyond2 x86_64) ================================================================= System uname: 2.6.20-beyond2 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 14 Apr 2007 22:50:01 +0000 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.60 sys-devel/automake: 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=k8 -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe -march=k8 -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 berkdb crypt hardened justify midi nptl nptlonly pam pic readline ssl tcpd xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
And while trying to debug this I just noticed the following in the ocaml ebuild: ewarn "Likewise, building with a hardened gcc is not possible." So I guess this bug could be marked as INVALID/CANTFIX, the math use flag for mediawiki use.masked and ocaml package.masked on hardened profiles (or at least hardened/amd64, as I can't test it on any other arch) ;>
Security folks ? Is masking use flag math making you happy enough to close the bug ? OR should we keep this for as long as it won't work. Is there anyone needing this mediawiki + math on Hardened ? My guess is yes, anyone interested in getting this fixed ? I don't have an hardened machine to test it on.
(In reply to comment #7) > Security folks ? Is masking use flag math making you happy enough to close the > bug ? OR should we keep this for as long as it won't work. Is there anyone > needing this mediawiki + math on Hardened ? My guess is yes, anyone interested > in getting this fixed ? The bug is not assigned to security, but if this still does not compile on hardened and people are forced to use old versions of mediawiki, I'd vote for a use-mask to allow any update at all.
users of ocaml and hardened know what they are up for. (ebuilds tell them to switch to vanilla specs and the such..). this is well documented in various bugs.. Vs editing our files we could rather see ocaml fixed properly upstream.. Till then this is a WONTFIX bug for hardened.. (sorry)
Due to the following, everything seems to build fine now with the hardened profile: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-lang/ocaml/ChangeLog?rev=1.125&view=markup I unmasked the 'math' flag and everything built properly. Should the 'math' flag be unmasked now?
