Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 116630

Summary: dev-util/insight-6.1: contains insecure RUNPATH
Product: Gentoo Security Reporter: Sandro Bonazzola (RETIRED) <sanchan>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: VERIFIED WORKSFORME    
Severity: minor CC: dev-tools, saintdev, sandro.bonazzola, tester
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: [needpatch]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Sandro Bonazzola (RETIRED) gentoo-dev 2005-12-24 11:00:09 UTC 
QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/insight-6.1/image//opt/insight/lib opt/insight/bin/gdbtui
/var/tmp/portage/insight-6.1/image//opt/insight/lib opt/insight/bin/insight
/var/tmp/portage/insight-6.1/image//opt/insight/lib opt/insight/bin/gdb
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-24 11:58:35 UTC 
tester (or dev-tools, if tester is not available), please provide fixed ebuilds, thx
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2005-12-24 15:28:16 UTC 
it seems ok here.. 

TesterTop tester # scanelf -r /opt/insight/bin/
 TYPE   RPATH FILE 
ET_EXEC /opt/insight/lib /opt/insight/bin//insight 
ET_EXEC /opt/insight/lib /opt/insight/bin//gdb 
ET_EXEC   -   /opt/insight/bin//gdbserver 
ET_EXEC /opt/insight/lib /opt/insight/bin//gdbtui 
ET_EXEC /opt/insight/lib /opt/insight/bin//wish8.4 
ET_EXEC /opt/insight/lib /opt/insight/bin//tclsh8.4
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2005-12-24 15:28:42 UTC 
btw, I added 6.4... does it have the same problem ?
Comment 4 Sandro Bonazzola (RETIRED) gentoo-dev 2005-12-25 00:24:26 UTC 
(In reply to comment #2)
> it seems ok here.. 
> 
> TesterTop tester # scanelf -r /opt/insight/bin/

the insecure path is signaled by portage while emerging insight after modular xorg-x11-7.0

# scanelf -r /var/tmp/portage/insight-6.1/image/opt/insight/bin/
 TYPE   RPATH FILE
ET_EXEC /opt/insight/lib /var/tmp/portage/insight-6.1/image/opt/insight/bin//tclsh8.4
ET_EXEC /opt/insight/lib:/usr/X11R6/lib64 /var/tmp/portage/insight-6.1/image/opt/insight/bin//wish8.4
ET_EXEC /var/tmp/portage/insight-6.1/image//opt/insight/lib /var/tmp/portage/insight-6.1/image/opt/insight/bin//gdbtui
ET_EXEC /var/tmp/portage/insight-6.1/image//opt/insight/lib /var/tmp/portage/insight-6.1/image/opt/insight/bin//insight
ET_EXEC /var/tmp/portage/insight-6.1/image//opt/insight/lib /var/tmp/portage/insight-6.1/image/opt/insight/bin//gdb
ET_EXEC   -   /var/tmp/portage/insight-6.1/image/opt/insight/bin//gdbserver
Comment 5 Sandro Bonazzola (RETIRED) gentoo-dev 2005-12-25 00:49:57 UTC 
(In reply to comment #3)
> btw, I added 6.4... does it have the same problem ?
> 

yes, same problem. Is it possible that this is caused by something changed from xorg-6.8.2 and xorg-7.0 ?
See also bug #116673.

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/insight
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/gdbtui
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/gdb
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2006-01-04 16:42:28 UTC 
even after upgrading to Xorg 7.0 I can't reproduce... something is strange on your system..
Comment 7 Nathan Caldwell 2006-01-04 19:16:17 UTC 
I get the same problem here with insight-6.4, and xorg-x11-6.8.2-r6

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/gdb
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/gdbtui
/var/tmp/portage/insight-6.4/image//opt/insight/lib opt/insight/bin/insight

tucaxi ~ # emerge info
Portage 2.1_pre3-r1 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.14-gentoo-r4.1 i686)
=================================================================
System uname: 2.6.14-gentoo-r4.1 i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz
Gentoo Base System version 1.12.0_pre12
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -O3 -mtune=pentium4 -march=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -O3 -mtune=pentium4 -march=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distcc distlocks sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://192.168.0.30 http://mirror.datapipe.net/gentoo ftp://ftp.ndlug.nd.edu/pub/gentoo"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.30/gentoo-portage"
USE="x86 X aac acpi alsa asf audiofile avi berkdb bitmap-fonts bzip2 cairo cddb cdr crypt cups curl dbus dts dvd emboss expat faad fam ffmpeg fftw flac foomaticdb fortran gdbm gif gimpprint glut gmp gpm gstreamer gtk gtk2 hal idn imagemagick imlib java jpeg junit kde kdeenablefinal lcms libg++ libwww mad matroska mikmod mime mmx mng motif mozilla mp3 mpeg musicbrainz mysql mythtv ncurses nls nptl offensive ogg oggvorbis opengl pam pcmcia pcre pdflib perl png pnp ppds python qt quicktime readline real samba sdl slang speex spell sql sqlite sse sse2 ssl subversion svg svga tcpd theora tidy tiff truetype truetype-fonts type1-fonts udev usb vlc vorbis wifi win32codecs wxgtk1 xgetdefault xine xml xml2 xscreensaver xv xvid zeroconf zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-01-15 09:50:43 UTC 
Anyone else reproducing on non-reproducing ?
Comment 9 solar (RETIRED) gentoo-dev 2006-03-05 08:02:50 UTC 
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2006-09-05 12:21:22 UTC 
No one seems to be able to reproduce, if you can reproduce with insight 6.5, we'll advise.
Comment 11 Sandro Bonazzola (RETIRED) gentoo-dev 2006-09-06 13:22:10 UTC 
I've just tested insight-6.5, it seems that 6.5 doesn't have this problem, at least under ~amd64.

It's sad to see that a bug submitted 8 months ago for version 6.1 has waited 8 months to be marked works for me on a different version of the package. 6.1 is still affected, but now, nobody care. 6.5 is out. Marking verified, not closed, need a test under x86 before to be closed.