|Summary:||dev-lang/pike: insecure runpath|
|Product:||Gentoo Security||Reporter:||Thomas Matthijs (RETIRED) <axxo>|
|Component:||Runpath Issues||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||aalvarez, araujo, gentoo.bug, maintainer-needed, notellin, omschaub, uwesinha, vivo|
|Whiteboard:||B3 [stable?] DerCorny|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||127846, 136065|
|Attachments:||pike-7.6.24.ebuild runpath fix|
Description Thomas Matthijs (RETIRED) 2005-12-26 10:52:28 UTC
QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 /var/tmp/portage/pike-7.6.24/work/Pike-v7.6.24/build/linux-2.6.14-gentoo-r5-i686/bundles/lib:/usr/local/lib:/usr/X11R6/lib usr/bin/pike QA Notice: the following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. RWX --- --- usr/lib/pike/modules/Image.so
Comment 1 Stefan Cornelius (RETIRED) 2005-12-26 11:32:27 UTC
... oh yeah, how i love it. dev-lang/pike Herd: no-herd Maintainer: no-herd and the guy in the changelog is no longer a dev. i hope that kloeri might take a look, though
Comment 2 Uwe Sinha 2006-01-04 03:02:57 UTC
This problem also occurred with the (unstable) pike-7.6.50 ebuild.
Comment 3 Jakub Moc (RETIRED) 2006-01-08 01:23:49 UTC
*** Bug 118258 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Cornelius (RETIRED) 2006-01-12 05:33:22 UTC
*** Bug 118770 has been marked as a duplicate of this bug. ***
Comment 5 Tupone Alfredo 2006-01-13 15:26:23 UTC
Created attachment 77034 [details, diff] pike-7.6.24.ebuild runpath fix This is a fix to runpath. I disable the bundles at configure time (actually dunno what they are, I guess plugins). The directory where bundles should be is not there, in the broken build, and rpath pointed to a wrong place (/var/tmp/portage/...) So removing bundles should not degrade. Now emerge cleanly
Comment 6 Thierry Carrez (RETIRED) 2006-01-15 09:29:10 UTC
Thx for the analysis, now we just need to find some herd/dev in Gentoo that accepts to take that package :)
Comment 7 Kim Nilsson 2006-01-15 20:04:14 UTC
I found someone in the forum that did a manual install of Pike when the ebuild crashes. Just a simple "make install" in the /var/tmp/portage/pike-7.6.50/work/Pike-v7.6.50 dir. Now, I know that's breaking the rules, but for testing the mkdvd script I had I did so. It installed fine and works just great. I hope someone can fix the ebuild so it can be installed properly through portage.
Comment 8 Jakub Moc (RETIRED) 2006-02-25 00:21:13 UTC
*** Bug 124015 has been marked as a duplicate of this bug. ***
Comment 9 solar (RETIRED) 2006-03-05 08:02:51 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 10 Luis Araujo (RETIRED) 2006-07-07 17:03:16 UTC
I just fixed this problem in the two latest versions.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-07 23:19:05 UTC
We still need the fixed versions to be marked stable. Arches please test.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2006-07-07 23:35:04 UTC
Unccing arches until we get bug #136065 sorted out.