Bug 116795

Summary:	dev-lang/pike: insecure runpath
Product:	Gentoo Security	Reporter:	Thomas Matthijs (RETIRED) <axxo>
Component:	Runpath Issues	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	aalvarez, araujo, gentoo.bug, maintainer-needed, notellin, omschaub, uwesinha, vivo
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [stable?] DerCorny
Package list:		Runtime testing required:	---
Bug Depends on:	127846, 136065
Bug Blocks:	81745
Attachments:	pike-7.6.24.ebuild runpath fix

Description Thomas Matthijs (RETIRED) gentoo-dev

2005-12-26 10:52:28 UTC

QA Notice: the following files contain insecure RUNPATH's
Please file a bug about this at http://bugs.gentoo.org/
For more information on this issue, kindly review:
http://bugs.gentoo.org/81745
/var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.14-gentoo-r5-i686/bundles/lib:/usr/local/lib:/usr/X11R6/lib usr/bin/pike

QA Notice: the following files contain executable stacks
Files with executable stacks will not work properly (or at all!)
on some architectures/operating systems.  A bug should be filed
at http://bugs.gentoo.org/ to make sure the file is fixed.
RWX --- --- usr/lib/pike/modules/Image.so

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2005-12-26 11:32:27 UTC

... oh yeah, how i love it. dev-lang/pike  Herd: no-herd Maintainer: no-herd and the guy in the changelog is no longer a dev. i hope that kloeri might take a look, though

Comment 2 Uwe Sinha 2006-01-04 03:02:57 UTC

This problem also occurred with the (unstable) pike-7.6.50 ebuild.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2006-01-08 01:23:49 UTC

*** Bug 118258 has been marked as a duplicate of this bug. ***

Comment 4 Stefan Cornelius (RETIRED) gentoo-dev

2006-01-12 05:33:22 UTC

*** Bug 118770 has been marked as a duplicate of this bug. ***

Comment 5 Tupone Alfredo gentoo-dev

2006-01-13 15:26:23 UTC

Created attachment 77034 [details, diff]
pike-7.6.24.ebuild runpath fix

This is a fix to runpath. I disable the bundles at configure time (actually dunno what they are, I guess plugins). The directory where bundles should be is not there, in the broken build, and rpath pointed to a wrong place (/var/tmp/portage/...)

So removing bundles should not degrade.

Now emerge cleanly

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2006-01-15 09:29:10 UTC

Thx for the analysis, now we just need to find some herd/dev in Gentoo that accepts to take that package :)

Comment 7 Kim Nilsson 2006-01-15 20:04:14 UTC

I found someone in the forum that did a manual install of Pike when the ebuild crashes. Just a simple "make install" in the /var/tmp/portage/pike-7.6.50/work/Pike-v7.6.50 dir.

Now, I know that's breaking the rules, but for testing the mkdvd script I had I did so. It installed fine and works just great.

I hope someone can fix the ebuild so it can be installed properly through portage.

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2006-02-25 00:21:13 UTC

*** Bug 124015 has been marked as a duplicate of this bug. ***

Comment 9 solar (RETIRED) gentoo-dev

2006-03-05 08:02:51 UTC

The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962

Comment 10 Luis Araujo (RETIRED) gentoo-dev

2006-07-07 17:03:16 UTC

I just fixed this problem in the two latest versions.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-07 23:19:05 UTC

We still need the fixed versions to be marked stable.

Arches please test.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-07 23:35:04 UTC

Unccing arches until we get bug #136065 sorted out.

Comment 13 Luis Araujo (RETIRED) gentoo-dev

2006-07-11 06:10:10 UTC

I am closing this bug, since the original issue of the report is pretty much solved now. We can move the arch testing reports to bug #136065.