Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 117600

Summary: gnome-base/oaf-0.6.10 insecure RUNPATHs
Product: Gentoo Security Reporter: Jakub Moc (RETIRED) <jakub>
Component: Runpath IssuesAssignee: Gentoo Linux Gnome Desktop Team <gnome>
Status: RESOLVED WORKSFORME    
Severity: normal CC: tupone
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://bugs.gentoo.org/show_bug.cgi?id=81745#c49
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Jakub Moc (RETIRED) gentoo-dev 2006-01-03 07:29:08 UTC
Separated from the tracker Bug 81745

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/oaf-0.6.10/image//usr/lib usr/bin/oafd
/var/tmp/portage/oaf-0.6.10/image//usr/lib usr/bin/oaf-run-query
/var/tmp/portage/oaf-0.6.10/image//usr/lib usr/bin/oaf-client
/var/tmp/portage/oaf-0.6.10/image//usr/lib usr/bin/oaf-empty-server


!!! ERROR: gnome-base/oaf-0.6.10 failed.
!!! Function dyn_install, Line 1094, Exitcode 0
!!! Aborting due to serious QA concerns with RUNPATH/RPATH
!!! If you need support, post the topmost build error, NOT this status message.
Comment 1 Tupone Alfredo gentoo-dev 2006-01-11 17:04:58 UTC
emerge cleanly to me 


Portage 2.0.53 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-gentoo-r5 i686)
=================================================================
System uname: 2.6.14-gentoo-r5 i686 AMD Duron(tm) processor
Gentoo Base System version 1.6.13
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon -O3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks nostrip sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LC_ALL="it_IT.UTF-8"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow X X509 Xaw3d acpi adns alsa apm ares artworkextra audiofile avi bash-completion berkdb bitmap-fonts bzip2 canvas cdr cjk crypt cscope cups curl doc dvd dxr3 eds emacs emboss encode erandom esd ethereal exif expat fam ffmpeg firefox flac foomaticdb fortran gd gdbm gif gimpprint glut gnome gnutls gpm gs gstreamer gtk gtk2 gtkhtml guile hal howl idn imagemagick imap imlib jack java jbig jpeg kerberos lcms ldap libg++ libwww mad mikmod mmx mng mozilla moznoirc moznomail moznoxft mozsvg mp3 mpeg multitarget mysql ncurses network nls nntp nptl nptlonly nvidia odbc ogg oggvorbis openal opengl oss pam pcre pdflib perl png profile python quicktime readline real sdl sftplogging silc skey slp sndfile snmp softmmu speex spell sse ssl svg tcltk tcpd tetex theora threads tiff toolbar truetype truetype-fonts type1-fonts udev unicode v4l vidix vim-with-x vorbis win32codecs wmf xchatdccserver xine xml xml2 xmms xv xvid xvmc zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LDFLAGS, LINGUAS
Comment 2 solar (RETIRED) gentoo-dev 2006-03-05 08:02:57 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-09-21 03:25:06 UTC
No longer a security issue, re-assigning to maintainer.
Comment 4 Leonardo Boshell (RETIRED) gentoo-dev 2006-11-16 06:01:07 UTC
No longer reproducible.