| Summary: | dev-libs/expat: insecure RUNPATH | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Alexander Skwar <askwar> |
| Component: | New packages | Assignee: | Freedesktop bugs <freedesktop-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | cardoe, tcltk |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | [needpatch] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 81745 | ||
|
Description
Alexander Skwar
2006-01-01 21:56:54 UTC
alexander@blatt /usr/kde $ emerge -vpt expat These are the packages that I would merge, in reverse order: Calculating dependencies ...done! [ebuild R ] dev-libs/expat-1.95.8 USE="-test" 0 kB alexander@blatt /tmp $ emerge info Portage 2.1_pre3-r1 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.14-suspend2-r9.038.ohne-mqueue i686) ================================================================= System uname: 2.6.14-suspend2-r9.038.ohne-mqueue i686 Intel(R) Celeron(R) M processor 1.50GHz Gentoo Base System version 1.12.0_pre12 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-lang/python: 2.3.4-r1, 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mtune=pentium-m -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mtune=pentium-m -pipe -fomit-frame-pointer" DISTDIR="/Gentoo/Portage/distfiles" FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks sandbox sfperms strict" GENTOO_MIRRORS=" http://server.bei.digitalprojects.com/gentoo/ http://stuff.alexander.skwar.name/gentoo/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo http://distfiles.gentoo.org/ " LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/Gentoo/Portage/packages" PORTAGE_TMPDIR="/Gentoo/Portage/build" PORTDIR="/Gentoo/Portage/tree" PORTDIR_OVERLAY="/Gentoo/Portage/local-tree/misc" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 GAPING_SECURITY_HOLE X acpi alsa amd apm arts artswrappersuid async audiofile avi bash-completion bdf berkdb bitmap-fonts bluetooth bootsplash bzip2 caps cardbus ccache cdb cdda cddb cdio cdparanoia cdr cdrom cle266 crypt css curl curlwrappers dbus devmap dillo divx4linux dlloader dvd dvdread emoticon esd ethereal exif expat fam fbcon fbdev ffmpeg firefox fping freetype gd gdbm gif glut gmp gnokii gnome gstreamer gtk gtk2 hal hpn icc id3 idn imagemagick imap imlib imlib2 insecure-drivers insecure-savers java javascript jikes jpeg kde kdeenablefinal lcms libedit libwww linuxthreads-tls logrotate lua lynxkeymap mad madwifi maildir matroska mbox ming mmx mmxext mng mozilla moznoirc mozsvg mp3 mpeg mpeg2 mpeg4 mplayer multicall ncurses netboot network new-login nfs nis nls no-old-linux no-suexec noantlr nobcel nobeanutils nobsf nobsh nocd nocommonslogging nocommonsnet nodrm nogg nogulm nojsch nojython nolog4j nomac nooro nopri norhino noxalan noxerces nozaptel nptl nsplugin offensive ogg oggvorbis openal opengl openssh pam_console pam_timestamp passfile password patented pccts pcmcia pcre perl perlsuid pic player png pnp qt quicktime rar readline real recode reiserfs ruby samba sdl sendfile sensord sftp slang sms spell spf sqlite sse sse2 ssl startup-notification stream subp subtitles suid symlink sysfs syslog tiff transcode truetype truetype-fonts trusted type1-fonts udev underscores unichrome unicode unsafe usb utf8 uudeview vim vim-pager vlm vorbis wifi win32codecs wma123 wmf x11vnc xine xinetd xml xml2 xmms xpm xscreensaver xv xvid xvmc zlib elibc_glibc kernel_linux linguas_de userland_GNU video_cards_via" Unset: ASFLAGS, CTARGET, LC_ALL Ccing maintainers. Hmm, I don't know why tcltk herd is maintainer of expat. expat is not tcl application. works to me Might be one of those "only occurs if portage-tmp is not in /var/tmp/portage" things. Does anyone else reproduce this ? Can the reporter try with PORTAGE_TMPDIR=/var/tmp ? Ccing cardoe as last bumper... The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962 No longer a security issue with current stable portage, re-assigning to maintainer. (In reply to comment #3) > Hmm, I don't know why tcltk herd is maintainer of expat. expat is not tcl > application. > tcltk herd is listed in the metadata.xml Perhaps somebody got metadata trigger happy and confused expect and expat bug hasn't seen any activity in a while and I can't reproduce this bug with expat-2.0.1. Please reopen if you can still reopen with >=expat-2 |
