Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 119715

Summary: net-p2p/sancho-bin problem with relative DT_RPATH '.:./lib'
Product: Gentoo Security Reporter: Krzysztof Pawlik (RETIRED) <nelchael>
Component: Runpath IssuesAssignee: Gentoo net-p2p team <net-p2p>
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Krzysztof Pawlik (RETIRED) gentoo-dev 2006-01-20 11:32:43 UTC
Merge of net-p2p/sancho-bin-

strip: i686-pc-linux-gnu-strip --strip-unneeded
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.:./lib' in /var/tmp/portage/sancho-bin-
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH './lib' in /var/tmp/portage/sancho-bin-

Issue similiar to bug 117063.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-01-20 11:43:46 UTC
the sancho wrapper script cd's to /opt/bin before executing, so not possible to exploit this unless someone executes it directly.

nevertheless, should be fixed.
Comment 2 solar (RETIRED) gentoo-dev 2006-03-05 08:03:06 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-09-21 03:45:47 UTC
No longer a security issue with current stable portage, re-assigning to maintainer.
Comment 4 Krzysztof Pawlik (RETIRED) gentoo-dev 2006-09-28 04:28:34 UTC
As it's a not a security issue anymore