Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 116611

Summary: dev-lang/ezm3 insecure RUNPATHs
Product: Gentoo Security Reporter: Dan <parallelgrapefruit>
Component: Runpath IssuesAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: minor CC: tupone
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    
Attachments: files/ezm3-1.2-RUNPATH.patch
ezm3-1.2-r1.ebuild.patch

Description Dan 2005-12-24 06:50:54 UTC 
And this is obviously a bad thing.  As strict is set in profile, it makes it really hard.

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/usr/lib/m3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3config/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3templates/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3driver/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3linker/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3front/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3quake/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3middle/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/libm3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3core/LINUXLIBC6 usr/bin/m3ship
/usr/lib/m3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/libm3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3core/LINUXLIBC6 usr/bin/m3bundle
/usr/lib/m3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3config/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3templates/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3driver/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3linker/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3front/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3quake/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3middle/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/libm3/LINUXLIBC6:/var/tmp/portage/ezm3-1.2/work/ezm3-1.2/src/../binaries/LINUXLIBC6/usr/lib/m3/pkg/m3core/LINUXLIBC6 usr/bin/m3build 

along with 

QA Notice: the following files contain executable stacks
 Files with executable stacks will not work properly (or at all!)
 on some architectures/operating systems.  A bug should be filed
 at http://bugs.gentoo.org/ to make sure the file is fixed.
RWX --- --- usr/bin/m3ship
RWX --- --- usr/bin/m3bundle
RWX --- --- usr/bin/m3build
 
 
!!! ERROR: dev-lang/ezm3-1.2 failed.
!!! Function dyn_install, Line 1113, Exitcode 0
!!! Aborting due to serious QA concerns
!!! If you need support, post the topmost build error, NOT this status message.

Having to run with FEATURES="-strict" is sketchy
Comment 1 Dan 2005-12-24 07:01:49 UTC 
(hydrogen@meglomaniac:~)$ emerge --info
Portage 2.1_pre1 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-ck5-stable i686)
=================================================================
System uname: 2.6.14-ck5-stable i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.13
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache confcache distlocks sandbox sfperms"
GENTOO_MIRRORS="http://gentoo.mirrors.pair.com http://gentoo.mirrors.tds.net"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X alsa apache2 apm arts audiofile avi berkdb bitmap-fonts bzip2 cdb cdr crypt curl dri emboss encode exif expat fam ffmpeg flac foomaticdb fortran gd gdbm gif glut gpm gstreamer gtk2 idn imlib ipv6 java jpeg kde lcms libg++ libwww logitech-mouse mad mhash mikmod mng motif mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss pam pcre pdflib perl pic png postgres python qt quicktime readline ruby sdl spell sql ssl subversion tcpd tiff truetype truetype-fonts type1-fonts udev unicode usb vorbis xine xml2 xmms xv xvid zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, LDFLAGS, LINGUAS, MAKEOPTS
Comment 2 Tupone Alfredo gentoo-dev 2006-01-11 16:13:55 UTC 
Created attachment 76866 [details, diff]
files/ezm3-1.2-RUNPATH.patch

Patch to build ezm3 statically. That seems to me the only way to remove the runpath security issue. As is only used to build cvsup is not a great deal.
Comment 3 Tupone Alfredo gentoo-dev 2006-01-11 16:17:02 UTC 
Created attachment 76867 [details, diff]
ezm3-1.2-r1.ebuild.patch

Patch to ebuild to apply runpath patch
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-01-15 09:43:48 UTC 
vapier: your opinion as maintainer ? Any other solution ?
Comment 5 solar (RETIRED) gentoo-dev 2006-03-05 08:02:49 UTC 
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2006-09-21 03:29:45 UTC 
No longer a security issue with current stable portage, re-assigning to maintainer
Comment 7 SpanKY gentoo-dev 2007-07-26 05:50:19 UTC 
masked to be punted