Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 117417

Summary: dev-libs/expat: insecure RUNPATH
Product: Gentoo Linux Reporter: Alexander Skwar <askwar>
Component: New packagesAssignee: Freedesktop bugs <freedesktop-bugs>
Severity: minor CC: cardoe, tcltk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: [needpatch]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Alexander Skwar 2006-01-01 21:56:54 UTC
strip: i686-pc-linux-gnu-strip --strip-unneeded
removing executable bit: /usr/lib/

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:
/Gentoo/Portage/build/portage/expat-1.95.8/image//usr/lib usr/bin/xmlwf

!!! ERROR: dev-libs/expat-1.95.8 failed.
Comment 1 Alexander Skwar 2006-01-01 21:58:54 UTC
alexander@blatt /usr/kde $ emerge -vpt expat

These are the packages that I would merge, in reverse order:

Calculating dependencies ...done!
[ebuild   R   ] dev-libs/expat-1.95.8  USE="-test" 0 kB

alexander@blatt /tmp $ emerge info
Portage 2.1_pre3-r1 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.14-suspend2-r9.038.ohne-mqueue i686)
System uname: 2.6.14-suspend2-r9.038.ohne-mqueue i686 Intel(R) Celeron(R) M processor         1.50GHz
Gentoo Base System version 1.12.0_pre12
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.3.4-r1, 2.4.2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
CFLAGS="-O2 -mtune=pentium-m -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mtune=pentium-m -pipe -fomit-frame-pointer"
FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks sandbox sfperms strict"
USE="x86 GAPING_SECURITY_HOLE X acpi alsa amd apm arts artswrappersuid async audiofile avi bash-completion bdf berkdb bitmap-fonts bluetooth bootsplash bzip2 caps cardbus ccache cdb cdda cddb cdio cdparanoia cdr cdrom cle266 crypt css curl curlwrappers dbus devmap dillo divx4linux dlloader dvd dvdread emoticon esd ethereal exif expat fam fbcon fbdev ffmpeg firefox fping freetype gd gdbm gif glut gmp gnokii gnome gstreamer gtk gtk2 hal hpn icc id3 idn imagemagick imap imlib imlib2 insecure-drivers insecure-savers java javascript jikes jpeg kde kdeenablefinal lcms libedit libwww linuxthreads-tls logrotate lua lynxkeymap mad madwifi maildir matroska mbox ming mmx mmxext mng mozilla moznoirc mozsvg mp3 mpeg mpeg2 mpeg4 mplayer multicall ncurses netboot network new-login nfs nis nls no-old-linux no-suexec noantlr nobcel nobeanutils nobsf nobsh nocd nocommonslogging nocommonsnet nodrm nogg nogulm nojsch nojython nolog4j nomac nooro nopri norhino noxalan noxerces nozaptel nptl nsplugin offensive ogg oggvorbis openal opengl openssh pam_console pam_timestamp passfile password patented pccts pcmcia pcre perl perlsuid pic player png pnp qt quicktime rar readline real recode reiserfs ruby samba sdl sendfile sensord sftp slang sms spell spf sqlite sse sse2 ssl startup-notification stream subp subtitles suid symlink sysfs syslog tiff transcode truetype truetype-fonts trusted type1-fonts udev underscores unichrome unicode unsafe usb utf8 uudeview vim vim-pager vlm vorbis wifi win32codecs wma123 wmf x11vnc xine xinetd xml xml2 xmms xpm xscreensaver xv xvid xvmc zlib elibc_glibc kernel_linux linguas_de userland_GNU video_cards_via"
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-01-03 06:32:10 UTC
Ccing maintainers.
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2006-01-08 07:27:01 UTC
Hmm, I don't know why tcltk herd is maintainer of expat. expat is not tcl application.
Comment 4 Tupone Alfredo gentoo-dev 2006-01-12 11:22:37 UTC
works to me
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-15 09:38:59 UTC
Might be one of those "only occurs if portage-tmp is not in /var/tmp/portage" things. Does anyone else reproduce this ? Can the reporter try with PORTAGE_TMPDIR=/var/tmp ?

Ccing cardoe as last bumper...
Comment 6 solar (RETIRED) gentoo-dev 2006-03-05 08:02:55 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2006-09-21 03:43:35 UTC
No longer a security issue with current stable portage, re-assigning to maintainer.
Comment 8 solar (RETIRED) gentoo-dev 2007-07-12 15:10:32 UTC
(In reply to comment #3)
> Hmm, I don't know why tcltk herd is maintainer of expat. expat is not tcl
> application.

tcltk herd is listed in the metadata.xml 
Perhaps somebody got metadata trigger happy and confused expect and expat
Comment 9 Gilles Dartiguelongue gentoo-dev 2009-01-11 19:39:44 UTC
bug hasn't seen any activity in a while and I can't reproduce this bug with expat-2.0.1. Please reopen if you can still reopen with >=expat-2