Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 114418

Summary: net-www/gplflash 0.4.13 ebuild fails due to insecure RUNPATH's
Product: Gentoo Security Reporter: jmdorfman
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: danarmak, frederico, gazman, mozilla, weeve
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description jmdorfman 2005-12-04 00:24:19 UTC

I am compiling gplflash 0.4.13 on a dual-core AMD64 system.  It compiles fine,
but when it goes to install, it give me this exact error:

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:


Reproducible: Always
Steps to Reproduce:
1.emerge gplflash       (version 0.4.13)  (may have to be done on AMD64)

Actual Results:  
during installation of files, recieved this error:

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:

Expected Results:  
successfully installed the gplflash ebuild

Portage 2.0.53 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3,
2.6.15-rc4 x86_64)
System uname: 2.6.15-rc4 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4400+
Gentoo Base System version 1.12.0_pre11
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.15
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20-r1
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="amd64 ~amd64"
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="autoconfig distlocks sandbox sfperms strict"
USE="amd64 X a52 aac acpi alsa audiofile avi berkdb bitmap-fonts bmp bonobo
bzip2 cdparanoia cdr crypt cups dri dts dv dvd dvdr dvdread eds emboss encode
esd exif expat fam fbcon ffmpeg flac foomaticdb fortran ftp gif glut gnome gpm
gstreamer gtk gtk2 hal idn ieee1394 imlib ipv6 joystick jpeg kde lcms lzw
lzw-tiff mad mikmod mime mng mozilla mp3 mpeg ncurses nls ogg openal opengl pam
pcre pdflib perl png posix python qt quicktime readline samba scanner sdl spell
ssl svg tcpd theora tiff truetype truetype-fonts type1-fonts udev unicode usb
userlocales v4l vcd videos vorbis xine xml xml2 xmms xpm xv yahoo zlib
userland_GNU kernel_linux elibc_glibc"
Comment 1 SpanKY gentoo-dev 2005-12-16 16:12:17 UTC
gplflash's build system has wicked broken autotool handling ... in this case, they decided to override the default install target by copying the temp .so file to the install path (which was built with -rpath)

should be fixed in gplflash-0.4.13-r1
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2005-12-17 01:56:51 UTC
*** Bug 115835 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 02:38:06 UTC
Any hint if this would also affect < 0.4.13 ?
Comment 4 SpanKY gentoo-dev 2005-12-23 06:27:25 UTC
no idea, but it'd prob be best if we punted the older versions anyways
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 10:36:28 UTC
Then we should test and mark 0.4.13-r1 stable.
Comment 6 Paul Varner (RETIRED) gentoo-dev 2005-12-23 12:38:45 UTC
I have epiphany-1.6.4, mozilla-1.7.12-r2, and mozilla-firefox-1.0.7 installed and all of them fail to detect and use the gplflash-0.4.13-r1 plugin when I install it.
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-12-24 13:58:05 UTC
same here on amd64, firefox can't find the plugin. however, i tried the latest stable (0.4.10-r3) and apparently it is safe, so there is no need to speed up stablization IMHO
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-12-27 01:04:07 UTC
OK so let's consider this only affects the recent ~ version and close the security bug. Feel free to open a separate bug or to reassign this one if you want to solve the "0.4.13-r1 sucks" issue...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-12-27 02:08:35 UTC
and do not forget to close.