Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 118265

Summary: gnome-base/librsvg-2.12.{6|7} insecure RUNPATH
Product: Gentoo Security Reporter: Michal <doman1>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard: ~3 [ebuild] DerCorny
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Michal 2006-01-08 02:01:20 UTC 
Hi, today i've got this error and i don't know what's going on:

make[1]: Leaving directory `/var/tmp/portage/librsvg-2.12.7/work/librsvg-2.12.7/data'
man:
gzipping man page: rsvg.1
prepallstrip:
strip: i686-pc-linux-gnu-strip --strip-unneeded
   /usr/bin/rsvg
   /usr/bin/rsvg-view
   /usr/lib/gtk-2.0/2.4.0/engines/libsvg.so
   /usr/lib/gtk-2.0/2.4.0/loaders/svg_loader.so
   /usr/lib/librsvg-2.so.2.12.7
removing executable bit: /usr/lib/librsvg-2.la

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/librsvg-2.12.7/image//usr/lib usr/bin/rsvg
/var/tmp/portage/librsvg-2.12.7/image//usr/lib usr/bin/rsvg-view
/var/tmp/portage/librsvg-2.12.7/image//usr/lib usr/lib/gtk-2.0/2.4.0/engines/libsvg.so
/var/tmp/portage/librsvg-2.12.7/image//usr/lib usr/lib/gtk-2.0/2.4.0/loaders/svg_loader.so


!!! ERROR: gnome-base/librsvg-2.12.7 failed.
!!! Function dyn_install, Line 1094, Exitcode 0
!!! Aborting due to serious QA concerns with RUNPATH/RPATH
!!! If you need support, post the topmost build error, NOT this status message.


i read this: http://bugs.gentoo.org/show_bug.cgi?id=81745 , but i really don't understand what i have to do; the same error is with version 2.12.6

Gentoo ~ # emerge --info
Portage 2.1_pre3-r1 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.6-r2, 2.6.14-gentoo-r5 i686)
=================================================================
System uname: 2.6.14-gentoo-r5 i686 AMD Athlon(tm) XP 2600+
Gentoo Base System version 1.6.13
ccache version 2.4 [enabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -Os -pipe -fomit-frame-pointer -s -mfpmath=sse -DNDEBUG -DG_DISABLE_ASSERT"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon-xp -Os -pipe -fomit-frame-pointer -s -mfpmath=sse -DNDEBUG -DG_DISABLE_ASSERT"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig candy ccache distlocks fixpackages sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.prz.rzeszow.pl/ http://gentoo.zie.pg.gda.pl/ http://src.gentoo.pl/"
LANG="pl_PL.UTF-8"
LC_ALL="pl_PL.UTF-8"
LDFLAGS="-Wl,-O1,--sort-common"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 3dnow X alsa apm avi bitmap-fonts bzip2 cdr cups directfb encode ffmpeg flash gdbm gif glut gpm gstreamer gtk gtk2 imlib java jpeg kde kdeenablefinal lcms ldap mmx mp3 mpeg mpg ncurses nls ogg oggvorbis opengl pam perl png python qt quicktime slang sse truetype type1-fonts udev unicode usb v4l vorbis win32codecs xmms xv xvid zlib elibc_glibc kernel_linux linguas_pl userland_GNU"
Unset:  ASFLAGS, CTARGET
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-08 09:28:13 UTC 
dear gnome herd, please provide fixed ebuilds. It would be nice if you could check if stable versions are affected, too. Thanks in advance.
Comment 2 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-08 15:05:00 UTC 
This does not appear to be a librsvg but, but rather an autoconf bug.  None of the .am or .in files in librsvg contain any references to any kind of runpath, and we don't use the configure from the package, because we run autoconf in the ebuild.  Therefore, any references to a runpath are generated by configure.

I do not get these errors when I install, therefore at least my autoconf is safe.
Comment 3 Michal 2006-01-09 02:07:01 UTC 
(In reply to comment #2)
> This does not appear to be a librsvg but, but rather an autoconf bug.  None of
> the .am or .in files in librsvg contain any references to any kind of runpath,
> and we don't use the configure from the package, because we run autoconf in the
> ebuild.  Therefore, any references to a runpath are generated by configure.
> 
> I do not get these errors when I install, therefore at least my autoconf is
> safe.
> 

I'm sorry, but i don't understand what's wrong with my autoconf ? 
I use:
Gentoo ~ # autoconf --version
autoconf (GNU Autoconf) 2.59

[ebuild   R   ] sys-devel/autoconf-2.59-r7  USE="-emacs" 0 kB

what should i do now ?
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-01-09 02:13:12 UTC 
Reopening and reassigning to base-system so that they confirm the problem lies in autoconf.
Comment 5 SpanKY gentoo-dev 2006-01-09 06:29:18 UTC 
has nothing to do with autoconf, libtool generates the libraries
Comment 6 Tupone Alfredo gentoo-dev 2006-01-12 09:54:10 UTC 
emerge cleanly here
Comment 7 lynczu 2006-02-01 05:53:35 UTC 
I've got the same output as in the first comment. In order to have librsvg emerged I need to modify its ebuild, by adding

chrpath -r /usr/bin ${D}/usr/bin/rsvg
chrpath -r /usr/bin ${D}/usr/bin/rsvg-view
chrpath -r /usr/lib ${D}/usr/lib/gtk-2.0/2.4.0/engines/libsvg.so
chrpath -r /usr/lib ${D}/usr/lib/gtk-2.0/2.4.0/loaders/svg_loader.so

at the end of src_install function.
Comment 8 solar (RETIRED) gentoo-dev 2006-03-05 08:03:03 UTC 
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 9 Michal 2006-04-04 00:28:39 UTC 
(In reply to comment #8)
> The next ~arch portage revision will auto repair evil rpaths and not bail. 
> Maintainers should still fix the packages they maintain as portage will only
> die
> with FEATURES=stricter (but that is a maintainer & QA problem) no longer
> security@
> 
> http://bugs.gentoo.org/show_bug.cgi?id=124962
> 
Obviously, with portage-2.1_pre6 and over there is no rpath error :)