Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 114437

Summary: app-pda/pilot-link contains insecure RUNPATH's
Product: Gentoo Security Reporter: Matthew Baker <m>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: andrew, dldudley, gottlieb, matt, moixa, nils, pda, perl, slestak989
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3? [ebuild needpatch]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    
Attachments: pilot-link ebuild log

Description Matthew Baker 2005-12-04 05:10:37 UTC
...
strip: x86_64-pc-linux-gnu-strip --strip-unneeded
   usr/bin/pi-getromtoken
   usr/bin/debugsh
   usr/bin/pilot-archive
   usr/bin/dlpsh
   usr/bin/memos
   usr/bin/install-todos
   usr/bin/addresses
   usr/bin/install-expenses
   usr/bin/install-datebook
   usr/bin/install-memo
   usr/bin/install-todo
   usr/bin/install-user
   usr/bin/pilot-dedupe
   usr/bin/pilot-datebook
   usr/bin/read-notepad
   usr/bin/install-netsync
   usr/bin/pilot-clip
   usr/bin/pilot-file
   usr/bin/pilot-foto
   usr/bin/pilot-xfer
   usr/bin/read-palmpix
   usr/bin/pilot-addresses
   usr/bin/pilot-schlep
   usr/bin/read-expenses
   usr/bin/pi-csd
   usr/bin/pi-getram
   usr/bin/pi-getrom
   usr/bin/hinotes
   usr/bin/read-todos
   usr/bin/pi-nredir
   usr/bin/reminders
   usr/bin/pitclsh
   usr/bin/install-hinote
   usr/bin/read-ical
   usr/bin/money2qif
   usr/bin/pilot-prc
   usr/bin/ccexample
   usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux/auto/PDA/Pilot/Pilot.so
   usr/lib64/libpisock.so.8.0.5
   usr/lib64/libpitcl.so.0.0.0
   usr/lib64/python2.4/site-packages/_pisock.so
   usr/lib64/libpisock++.so.0.0.0
   usr/lib64/libpisync.so.0.0.1
making executable: /usr/lib64/libpisock++.so.0.0.0
making executable: /usr/lib64/libpisock.so.8.0.5
making executable: /usr/lib64/libpisync.so.0.0.1
making executable: /usr/lib64/libpitcl.so.0.0.0

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/pilot-link-0.11.8-r1/work/pilot-link-0.11.8/bindings/Perl/../../libpisock/.libs
usr/lib/perl5/vendor_perl/5.8.7/x86_64-linux/auto/PDA/Pilot/Pilot.so


!!! ERROR: app-pda/pilot-link-0.11.8-r1 failed.
!!! Function dyn_install, Line 1057, Exitcode 0
!!! Insecure binaries detected
!!! If you need support, post the topmost build error, NOT this status message.


Reproducible: Always
Steps to Reproduce:
1.emerge app-pda/pilot-link
2.
3.

Actual Results:  
see above

Expected Results:  
successful emerge

dino ~ # emerge --info
Portage 2.0.53 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r3,
2.6.14-gentoo-r4-1 x86_64)
=================================================================
System uname: 2.6.14-gentoo-r4-1 x86_64 AMD Athlon(tm) 64 Processor 4000+
Gentoo Base System version 1.12.0_pre11
ccache version 2.3 [disabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.16
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.20-r1
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer -funroll-loops
-fpeel-loops -ftracer -fprefetch-loop-arrays"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env
/usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/texmf/web2c
/etc/env.d"
CXXFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer -funroll-loops
-fpeel-loops -ftracer -fprefetch-loop-arrays"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk
ftp://ftp.heanet.ie/mirrors/gentoo.org"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/cross-arch"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 S3TC X a52 aac aalib acl acpi alsa apache2 apm arts audiofile avi
bash-completion berkdb bidi bitmap-fonts bluetooth bzip2 bzlib calendar caps
cdda cddb cdio cdparanoia cdr chroot codecs crypt css ctype cups curl
curlwrappers dedicated dga dio directfb divx4linux dts dv dvb dvd dvdr dvdread
encode escreen esd exif expat fam fb fbcon ffmpeg firefox flac flatfile
font-server freetype ftp gd gdbm geoip ggi gif gimp gimpprint glut gnutls
gphoto2 gpm graphviz gs gstreamer gtk gtk2 gtkhtml guile hal iconv icq idea
ieee1394 imagemagick imap imlib java javascript jpeg jpeg2k kde lcms libcaca
libwww live lm_sensors logitech-mouse mad maildir matroska mcal mhash mikmod
mime motif mozilla moznocompose moznoirc moznomail mozsvg mp3 mpeg mplayer msn
mysql mysqli ncurses nls no-old-linux no-suexec nowin nptl nptlonly nvidia odbc
offensive ogg oggvorbis opengl oss pam pcre pda pdflib perl php plotutils png
posix profile python qt quicktime rar rdesktop readline real rrdtool samba sasl
sblive sdl server sftplogging sharedmem shorten slang slp sndfile snmp sockets
spell ssl stream svg sysvipc tcltk tcpd tetex tga theora tiff toolbar transcode
truetype-fonts unicode urandom usb userlocales vcd vcdimager videos vim-with-x
vlm vorbis wmf wxwindows xine xinerama xml2 xmlrpc xmms xosd xpm xprint
xscreensaver xv xvid xvmc zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

dino ~ # equery l dev-lang/perl
[ Searching for package 'perl' in 'dev-lang' among: ]
 * installed packages
[I--] [  ] dev-lang/perl-5.8.7-r2 (0)
Comment 1 Matthew Baker 2005-12-04 05:13:34 UTC
Created attachment 74040 [details]
pilot-link ebuild log
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-12-09 06:55:24 UTC
Ccing PDA herd to check that we are affected with current Perl stable, which may
fix it.
Comment 3 SpanKY gentoo-dev 2005-12-16 13:29:33 UTC
more likely a perl issue ...
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2005-12-16 13:36:52 UTC
(In reply to comment #3)
> more likely a perl issue ...
> 

Since so far all of these bugs are cropping up on perl 5.8.7 boxes, going to tend to agree here. Investigating - these may all have a root cause (another bug in this list would be the PerlQt bug, number escapes me right now)
Comment 5 Steve Romanow 2005-12-31 05:40:25 UTC
(In reply to comment #4)

> Since so far all of these bugs are cropping up on perl 5.8.7 boxes, 

I have this problem on a x86 box w perl-5.8.6-r8 as well.
Comment 6 David Dudley 2006-01-04 18:19:31 UTC
I also have the same problem with building net-snmp on x86.  I have perl V5.8.6 installed.
Comment 7 Tobias Sager 2006-01-14 13:30:27 UTC
Check if you have ExtUtils-MakeMaker installed.
If so, unmerge and try pilot-link again.
Comment 8 Allan Gottlieb 2006-01-20 05:49:45 UTC
(In reply to comment #7)
> Check if you have ExtUtils-MakeMaker installed.
> If so, unmerge and try pilot-link again.

I do not have it installed and get the bug

*  perl-core/ExtUtils-MakeMaker
      Latest version available: 6.21-r1
      Latest version installed: [ Not Installed ]

*  dev-lang/perl
      Latest version available: 5.8.7-r3
      Latest version installed: 5.8.7-r3
Comment 9 andrew lorien 2006-01-31 20:18:23 UTC
samr problem here:  x86_64  perl=5.8.6-r5  pilot-link-0.11.8-r1
i don't have ExtUtils-MakeMaker
and running "perlcleaner all" didn't help

pilot-link-0.11.8 has a different error:

067751 /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/pilot-link-0.11.8/temp/ccyQzRrO.o: relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC
067752 /var/tmp/portage/pilot-link-0.11.8/temp/ccyQzRrO.o: could not read symbols: Bad value
067753 collect2: ld returned 1 exit status
067754 make[3]: *** [java_lib] Error 1
067755 make[3]: Leaving directory `/var/tmp/portage/pilot-link-0.11.8/work/pilot-link-0.11.8/bindings/Java'
067756 make[2]: *** [all-recursive] Error 1
067757 make[2]: Leaving directory `/var/tmp/portage/pilot-link-0.11.8/work/pilot-link-0.11.8/bindings'
067758 make[1]: *** [all-recursive] Error 1
067759 make[1]: Leaving directory `/var/tmp/portage/pilot-link-0.11.8/work/pilot-link-0.11.8'
067760 make: *** [all-recursive-am] Error 2
067761 
067762 !!! ERROR: app-pda/pilot-link-0.11.8 failed.
067763 !!! Function src_compile, Line 57, Exitcode 2
067764 !!! (no error message)

Comment 10 andrew lorien 2006-01-31 20:26:55 UTC
... but emerging pilot-link-0.11.8 with -java brings back the insecure binaries error.
Comment 11 andrew lorien 2006-01-31 21:58:15 UTC
... and emerging pilot-link 0.11.8-r1 using 
-perl +java +tcltk +python +png +readline
allowed me to emerge gnome-pilot-2.0.10-r1, 
then evolution-2.4.2.1 with +pda

and now it works.  well, the M100 and gnome-pilot-settings recognised each other, which is good enough for me.
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2006-02-16 07:12:49 UTC
This look likes it has been fixed, is this correct?
Comment 13 andrew lorien 2006-02-18 06:29:57 UTC
yeah...
i've just tried it again same result.

i guess you could close this by calling it an AMD_64 perl bug.
Comment 14 Allan Gottlieb 2006-02-19 06:24:59 UTC
(In reply to comment #13)
> yeah...
> i've just tried it again same result.
> 
> i guess you could close this by calling it an AMD_64 perl bug.
> 

I don't think it is just AMD_64, I still the bug with x86 and
[ebuild   R   ]   app-pda/pilot-link-0.11.8  +java* -minimal +perl +png +python +readline +tcltk 0 kB
Comment 15 Michael Cummings (RETIRED) gentoo-dev 2006-02-20 12:41:30 UTC
Actually I think the 'fix' for this came in during perl fixes for rpaths (both in 5.8.7 and 5.8.8). Not so much an intentional fix as a broad sweeping fix...yeah, that sounds competent...
Comment 16 solar (RETIRED) gentoo-dev 2006-02-26 05:44:17 UTC
Can this one be closed? 
Comment 17 Matthew Baker 2006-02-26 11:45:03 UTC
(In reply to comment #16)
> Can this one be closed? 
> 

emerge app-pda/pilot-link

works after update to perl 5.8.8
Comment 18 SpanKY gentoo-dev 2006-02-26 11:56:54 UTC
k
Comment 19 Jakub Moc (RETIRED) gentoo-dev 2006-03-11 07:41:18 UTC
*** Bug 125835 has been marked as a duplicate of this bug. ***
Comment 20 Jakub Moc (RETIRED) gentoo-dev 2006-03-15 04:18:57 UTC
*** Bug 126280 has been marked as a duplicate of this bug. ***