Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 108534

Summary: dev-db/qdbm-1.8.33 appears to have insecure RUNPATH issues
Product: Gentoo Security Reporter: Jason Wever (RETIRED) <weeve>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hattya
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2? [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    
Attachments:
Description Flags
makeMake is bad
none
qdbm-runpath.patch none

Description Jason Wever (RETIRED) gentoo-dev 2005-10-08 14:02:40 UTC
While emerging dev-db/qdbm-1.8.33, portage fails with the following;

making executable: /usr/lib/libjqdbm.so.1.0.0
making executable: /usr/lib/libqdbm.so.11.5.0

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/depot/../..:/lib
usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Depot/Depot.so
/var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/curia/../..:/lib
usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Curia/Curia.so
/var/tmp/portage/qdbm-1.8.33/work/qdbm-1.8.33/perl/villa/../..:/lib
usr/lib/perl5/site_perl/5.8.7/sparc-linux/auto/Villa/Villa.so


!!! ERROR: dev-db/qdbm-1.8.33 failed.
!!! Function dyn_install, Line 1058, Exitcode 0
!!! Insecure binaries detected
!!! If you need support, post the topmost build error, NOT this status message.
Comment 1 Daniel Black (RETIRED) gentoo-dev 2005-10-08 23:45:06 UTC
Created attachment 70203 [details, diff]
makeMake is bad
Comment 2 Jason Wever (RETIRED) gentoo-dev 2005-10-09 00:24:19 UTC
This patch WORKSFORME
Comment 3 SpanKY gentoo-dev 2005-10-09 02:17:13 UTC
i havent looked, but cant you add that var to RUNENV rather than changing every
call to `make` ?
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-10 01:48:08 UTC
hattya, please bump with patch
Comment 5 SpanKY gentoo-dev 2005-10-10 07:36:41 UTC
Created attachment 70293 [details, diff]
qdbm-runpath.patch

how about this instead
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-15 01:25:31 UTC
SpanKY: we'll probably have to commit that ourselves as hattya looks kinda MIA.
Comment 7 Akinori Hattori gentoo-dev 2005-10-15 02:08:43 UTC
Fixed in CVS.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2005-10-15 02:12:09 UTC
Still broke, same thing as originally posted.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 01:14:06 UTC
Guess we are stuck here. Jason: the first version of the patch was fixing it for
you ?
Comment 10 Jason Wever (RETIRED) gentoo-dev 2005-10-19 14:27:38 UTC
Correct, the original patch works for me on the systems where it has been
problema tic.  Some more notes on that;

I have three systems I've been testing this on (x86, amd64 and sparc64).  All
systems are running up to date ~arch systems which are updated on a daily basis
and all have the perl use flag enabled.  The ~x86 and ~sparc64 systems are
running 32 bit userlands where the ~amd64 system is running a 64 bit userland. 
All have pax-utils installed.

The ~amd64 system has not had a single problem with qdbm at all, before and
after the patch.  However both the ~x86 and ~sparc64 systems have had problems
with the unpatched qdbm and the patched version currently in portage.  The first
patch in this bug (cuurrently labeled makeMake is bad), works on those two
systems though.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-10-20 00:32:41 UTC
vapier: We'll probably go with the "makeMake is bad" patch if you don't see why
yours failed.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-10-21 08:14:56 UTC
hattya: could you apply the "makeMake is bad" patch instead ? Looks like it's
the only one that solves it.
Comment 13 Akinori Hattori gentoo-dev 2005-10-24 01:38:58 UTC
in CVS.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 08:09:34 UTC
Jason: can you confirm it's ok with the one in CVS ?
hattya: could you revbump the ebuild so that people affected pick up the change
in  normal upgrades ?
Comment 15 Jason Wever (RETIRED) gentoo-dev 2005-10-25 16:04:16 UTC
The ebuild currently in portage fails in the same fashion.  Also, it appears to
still be using the second patch.  
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 02:59:48 UTC
Yes, the patch in CVS looks unchanged.

Hattya, could you please doublecheck and commit the "makemake is bad" attached
patch ?
Comment 17 Akinori Hattori gentoo-dev 2005-10-29 04:19:43 UTC
Sorry, I forgot to commit...
In CVS now.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-30 00:37:51 UTC
Thx Hattya. 
 
Arches please test and mark stable. 
Comment 19 Simon Stelling (RETIRED) gentoo-dev 2005-10-30 03:06:50 UTC
amd64 stable
Comment 20 Mark Loeser (RETIRED) gentoo-dev 2005-10-30 13:11:14 UTC
x86 done
Comment 21 Jason Wever (RETIRED) gentoo-dev 2005-10-30 16:41:15 UTC
Stable on SPARC
Comment 22 Bryan Ƙstergaard (RETIRED) gentoo-dev 2005-10-31 01:00:11 UTC
Alpha stabled.
Comment 23 Brent Baude (RETIRED) gentoo-dev 2005-10-31 13:01:30 UTC
Marked ppc64 stable.

In testing with FEATURES="test" the tests did fail like so:

LD_LIBRARY_PATH=.:/lib:/usr/lib:/var/tmp/portage/homedir/lib:/usr/local/lib 
./cbtest misc
<Miscellaneous Test>

Checking serialization of list ... ok
Checking serialization of map ... ok
Checking string utilities ... ok
Checking encoding utilities ... ok
Checking date utilities ... ./cbtest: W3CDTF formatter is invalid
make: *** [check] Error 1

!!! ERROR: dev-db/qdbm-1.8.33-r2 failed.

Does this warrant any attention?  1.8.30 failed in a similar fashion.  I will
leave ppc64 on the cc and we can discuss or split off to a different bug.
Comment 24 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-31 14:42:39 UTC
Stable on ppc.
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-11-01 01:31:46 UTC
Apparently ppc64 stable keyword was lost somewhere along the way.
Comment 26 Brent Baude (RETIRED) gentoo-dev 2005-11-01 04:21:19 UTC
Remarked stable; I dont know what happened.  The above stated test failure still
exists however.
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-11-01 05:09:06 UTC
Ready for GLSA.
About the test failure: probably better to open a separate bug about it, since
we'll close this one when the security part will be done.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-11-02 09:19:32 UTC
GLSA 200511-02
ia64 should mark stable to benefit from GLSA