Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 121012

Summary: dev-cpp/gtkmm-2.8.1 insecure RUNPATHs
Product: Gentoo Security Reporter: lynczu <lynczu>
Component: Runpath IssuesAssignee: GNOME C++ Bindings Maintainers (OBSOLETE) <gnome-mm+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: qa
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description lynczu 2006-01-30 22:56:06 UTC
prepallstrip:
strip: i686-pc-linux-gnu-strip --strip-unneeded
   /usr/lib/libatkmm-1.6.so.1.0.24
   /usr/lib/libgdkmm-2.4.so.1.0.24
   /usr/lib/libgtkmm-2.4.so.1.0.24
   /usr/lib/libpangomm-1.4.so.1.0.24
removing executable bit: /usr/lib/libatkmm-1.6.la
removing executable bit: /usr/lib/libgdkmm-2.4.la
removing executable bit: /usr/lib/libgtkmm-2.4.la
removing executable bit: /usr/lib/libpangomm-1.4.la

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.24
/tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.24


!!! ERROR: dev-cpp/gtkmm-2.8.1 failed.
Call stack:
  ebuild.sh, line 1894:   Called dyn_install

!!! Aborting due to serious QA concerns with RUNPATH/RPATH
!!! If you need support, post the topmost build error, and the call stack if relevant.
Comment 1 lynczu 2006-01-30 23:22:27 UTC
workaround can be found here - http://forums.gentoo.org/viewtopic-p-3072775.html#3072775
Comment 2 solar (RETIRED) gentoo-dev 2006-01-31 08:51:17 UTC
using /tmp for your /var/tmp via a symlink and or setting it via portage 
is a bad idea. 
Comment 3 lynczu 2006-01-31 09:21:47 UTC
I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when I've changed it, but it's correct now, thanks (:
Comment 4 fabio 2006-02-21 14:25:23 UTC
(In reply to comment #0)
> prepallstrip:
> strip: i686-pc-linux-gnu-strip --strip-unneeded
>    /usr/lib/libatkmm-1.6.so.1.0.24
>    /usr/lib/libgdkmm-2.4.so.1.0.24
>    /usr/lib/libgtkmm-2.4.so.1.0.24
>    /usr/lib/libpangomm-1.4.so.1.0.24
> removing executable bit: /usr/lib/libatkmm-1.6.la
> removing executable bit: /usr/lib/libgdkmm-2.4.la
> removing executable bit: /usr/lib/libgtkmm-2.4.la
> removing executable bit: /usr/lib/libpangomm-1.4.la
> 
> QA Notice: the following files contain insecure RUNPATH's
>  Please file a bug about this at http://bugs.gentoo.org/
>  For more information on this issue, kindly review:
>  http://bugs.gentoo.org/81745
> /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.24
> /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.24
> 
> 
> !!! ERROR: dev-cpp/gtkmm-2.8.1 failed.
> Call stack:
>   ebuild.sh, line 1894:   Called dyn_install
> 
> !!! Aborting due to serious QA concerns with RUNPATH/RPATH
> !!! If you need support, post the topmost build error, and the call stack if
> relevant.
> 

(In reply to comment #3)
> I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when
> I've changed it, but it's correct now, thanks (:
> 

I've the same problem
prepallstrip:
strip: i686-pc-linux-gnu-strip --strip-unneeded
   usr/lib/libpangomm-1.4.so.1.0.25
   usr/lib/libatkmm-1.6.so.1.0.25
   usr/lib/libgdkmm-2.4.so.1.0.25
   usr/lib/libgtkmm-2.4.so.1.0.25
making executable: /usr/lib/libatkmm-1.6.so.1.0.25
making executable: /usr/lib/libgdkmm-2.4.so.1.0.25
making executable: /usr/lib/libgtkmm-2.4.so.1.0.25
making executable: /usr/lib/libpangomm-1.4.so.1.0.25

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.25
/var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.25

Comment 5 solar (RETIRED) gentoo-dev 2006-03-05 08:03:13 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2006-09-21 03:47:19 UTC
No longer a security issue with current stable portage, re-assigning to maintainer.
Comment 7 Rémi Cardona gentoo-dev 2008-04-12 21:10:01 UTC
@QA,

Could you guys tell me how I can fix this? How do I even know if newer versions are affected?

Thanks
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2008-04-13 01:03:26 UTC
I really wish the things listed as being "QA notices" by Portage were actually things that the QA team knew about and had documentation for.

I'll have to get back to you on what the check is doing as I've never really looked.
Comment 9 SpanKY gentoo-dev 2008-04-19 22:28:09 UTC
they are already documented and have been for quite a long time ... just look in the doc/ subdir

as for insecure runpaths, that's fairly obvious by the error message ... the libraries in question have DT runpath tags encoded in them that point to temporary directories
Comment 10 Rémi Cardona gentoo-dev 2008-05-02 08:53:53 UTC
Ok, but if when I emerge those packages and I don't have any QA warning, that means it has already been fixed, doesn't it?
Comment 11 Rémi Cardona gentoo-dev 2008-05-27 06:53:55 UTC
Alright, well, 2.8.* is no longer in portage and newer versions don't have that QA warning anymore. Closing Fixed.