|Summary:||dev-db/qdbm-1.8.33 appears to have insecure RUNPATH issues|
|Product:||Gentoo Security||Reporter:||Jason Wever (RETIRED) <weeve>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Jason Wever (RETIRED) 2005-10-08 14:02:40 UTC
While emerging dev-db/qdbm-1.8.33, portage fails with the following; making executable: /usr/lib/libjqdbm.so.1.0.0 making executable: /usr/lib/libqdbm.so.11.5.0 QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 /var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/depot/../..:/lib usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Depot/Depot.so /var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/curia/../..:/lib usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Curia/Curia.so /var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/villa/../..:/lib usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Villa/Villa.so !!! ERROR: dev-db/qdbm-1.8.33 failed. !!! Function dyn_install, Line 1058, Exitcode 0 !!! Insecure binaries detected !!! If you need support, post the topmost build error, NOT this status message.
Comment 1 Daniel Black (RETIRED) 2005-10-08 23:45:06 UTC
Created attachment 70203 [details, diff] makeMake is bad
Comment 2 Jason Wever (RETIRED) 2005-10-09 00:24:19 UTC
This patch WORKSFORME
Comment 3 SpanKY 2005-10-09 02:17:13 UTC
i havent looked, but cant you add that var to RUNENV rather than changing every call to `make` ?
Comment 4 Thierry Carrez (RETIRED) 2005-10-10 01:48:08 UTC
hattya, please bump with patch
Comment 5 SpanKY 2005-10-10 07:36:41 UTC
Created attachment 70293 [details, diff] qdbm-runpath.patch how about this instead
Comment 6 Thierry Carrez (RETIRED) 2005-10-15 01:25:31 UTC
SpanKY: we'll probably have to commit that ourselves as hattya looks kinda MIA.
Comment 7 Akinori Hattori 2005-10-15 02:08:43 UTC
Fixed in CVS.
Comment 8 Jason Wever (RETIRED) 2005-10-15 02:12:09 UTC
Still broke, same thing as originally posted.
Comment 9 Thierry Carrez (RETIRED) 2005-10-19 01:14:06 UTC
Guess we are stuck here. Jason: the first version of the patch was fixing it for you ?
Comment 10 Jason Wever (RETIRED) 2005-10-19 14:27:38 UTC
Correct, the original patch works for me on the systems where it has been problema tic. Some more notes on that; I have three systems I've been testing this on (x86, amd64 and sparc64). All systems are running up to date ~arch systems which are updated on a daily basis and all have the perl use flag enabled. The ~x86 and ~sparc64 systems are running 32 bit userlands where the ~amd64 system is running a 64 bit userland. All have pax-utils installed. The ~amd64 system has not had a single problem with qdbm at all, before and after the patch. However both the ~x86 and ~sparc64 systems have had problems with the unpatched qdbm and the patched version currently in portage. The first patch in this bug (cuurrently labeled makeMake is bad), works on those two systems though.
Comment 11 Thierry Carrez (RETIRED) 2005-10-20 00:32:41 UTC
vapier: We'll probably go with the "makeMake is bad" patch if you don't see why yours failed.
Comment 12 Thierry Carrez (RETIRED) 2005-10-21 08:14:56 UTC
hattya: could you apply the "makeMake is bad" patch instead ? Looks like it's the only one that solves it.
Comment 13 Akinori Hattori 2005-10-24 01:38:58 UTC
Comment 14 Thierry Carrez (RETIRED) 2005-10-24 08:09:34 UTC
Jason: can you confirm it's ok with the one in CVS ? hattya: could you revbump the ebuild so that people affected pick up the change in normal upgrades ?
Comment 15 Jason Wever (RETIRED) 2005-10-25 16:04:16 UTC
The ebuild currently in portage fails in the same fashion. Also, it appears to still be using the second patch.
Comment 16 Thierry Carrez (RETIRED) 2005-10-26 02:59:48 UTC
Yes, the patch in CVS looks unchanged. Hattya, could you please doublecheck and commit the "makemake is bad" attached patch ?
Comment 17 Akinori Hattori 2005-10-29 04:19:43 UTC
Sorry, I forgot to commit... In CVS now.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-30 00:37:51 UTC
Thx Hattya. Arches please test and mark stable.
Comment 19 Simon Stelling (RETIRED) 2005-10-30 03:06:50 UTC
Comment 20 Mark Loeser (RETIRED) 2005-10-30 13:11:14 UTC
Comment 21 Jason Wever (RETIRED) 2005-10-30 16:41:15 UTC
Stable on SPARC
Comment 22 Bryan Østergaard (RETIRED) 2005-10-31 01:00:11 UTC
Comment 23 Brent Baude (RETIRED) 2005-10-31 13:01:30 UTC
Marked ppc64 stable. In testing with FEATURES="test" the tests did fail like so: LD_LIBRARY_PATH=.:/lib:/usr/lib:/var/tmp/portage/homedir/lib:/usr/local/lib ./cbtest misc <Miscellaneous Test> Checking serialization of list ... ok Checking serialization of map ... ok Checking string utilities ... ok Checking encoding utilities ... ok Checking date utilities ... ./cbtest: W3CDTF formatter is invalid make: *** [check] Error 1 !!! ERROR: dev-db/qdbm-1.8.33-r2 failed. Does this warrant any attention? 1.8.30 failed in a similar fashion. I will leave ppc64 on the cc and we can discuss or split off to a different bug.
Comment 24 Michael Hanselmann (hansmi) (RETIRED) 2005-10-31 14:42:39 UTC
Stable on ppc.
Comment 25 Thierry Carrez (RETIRED) 2005-11-01 01:31:46 UTC
Apparently ppc64 stable keyword was lost somewhere along the way.
Comment 26 Brent Baude (RETIRED) 2005-11-01 04:21:19 UTC
Remarked stable; I dont know what happened. The above stated test failure still exists however.
Comment 27 Thierry Carrez (RETIRED) 2005-11-01 05:09:06 UTC
Ready for GLSA. About the test failure: probably better to open a separate bug about it, since we'll close this one when the security part will be done.
Comment 28 Thierry Carrez (RETIRED) 2005-11-02 09:19:32 UTC
GLSA 200511-02 ia64 should mark stable to benefit from GLSA