Summary: | dev-lang/ezm3 insecure RUNPATHs | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Dan <parallelgrapefruit> |
Component: | Runpath Issues | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | tupone |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Other | ||
Whiteboard: | [ebuild] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 81745 | ||
Attachments: |
files/ezm3-1.2-RUNPATH.patch
ezm3-1.2-r1.ebuild.patch |
Description
Dan
2005-12-24 06:50:54 UTC
(hydrogen@meglomaniac:~)$ emerge --info Portage 2.1_pre1 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-ck5-stable i686) ================================================================= System uname: 2.6.14-ck5-stable i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache confcache distlocks sandbox sfperms" GENTOO_MIRRORS="http://gentoo.mirrors.pair.com http://gentoo.mirrors.tds.net" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apache2 apm arts audiofile avi berkdb bitmap-fonts bzip2 cdb cdr crypt curl dri emboss encode exif expat fam ffmpeg flac foomaticdb fortran gd gdbm gif glut gpm gstreamer gtk2 idn imlib ipv6 java jpeg kde lcms libg++ libwww logitech-mouse mad mhash mikmod mng motif mp3 mpeg mysql ncurses nls ogg oggvorbis opengl oss pam pcre pdflib perl pic png postgres python qt quicktime readline ruby sdl spell sql ssl subversion tcpd tiff truetype truetype-fonts type1-fonts udev unicode usb vorbis xine xml2 xmms xv xvid zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, LDFLAGS, LINGUAS, MAKEOPTS Created attachment 76866 [details, diff]
files/ezm3-1.2-RUNPATH.patch
Patch to build ezm3 statically. That seems to me the only way to remove the runpath security issue. As is only used to build cvsup is not a great deal.
Created attachment 76867 [details, diff]
ezm3-1.2-r1.ebuild.patch
Patch to ebuild to apply runpath patch
vapier: your opinion as maintainer ? Any other solution ? The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962 No longer a security issue with current stable portage, re-assigning to maintainer masked to be punted |