| Summary: | dev-cpp/gtkmm-2.8.1 insecure RUNPATHs | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | lynczu <lynczu> |
| Component: | Runpath Issues | Assignee: | GNOME C++ Bindings Maintainers (OBSOLETE) <gnome-mm+disabled> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | qa |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 81745 | ||
|
Description
lynczu
2006-01-30 22:56:06 UTC
workaround can be found here - http://forums.gentoo.org/viewtopic-p-3072775.html#3072775 using /tmp for your /var/tmp via a symlink and or setting it via portage is a bad idea. I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when I've changed it, but it's correct now, thanks (: (In reply to comment #0) > prepallstrip: > strip: i686-pc-linux-gnu-strip --strip-unneeded > /usr/lib/libatkmm-1.6.so.1.0.24 > /usr/lib/libgdkmm-2.4.so.1.0.24 > /usr/lib/libgtkmm-2.4.so.1.0.24 > /usr/lib/libpangomm-1.4.so.1.0.24 > removing executable bit: /usr/lib/libatkmm-1.6.la > removing executable bit: /usr/lib/libgdkmm-2.4.la > removing executable bit: /usr/lib/libgtkmm-2.4.la > removing executable bit: /usr/lib/libpangomm-1.4.la > > QA Notice: the following files contain insecure RUNPATH's > Please file a bug about this at http://bugs.gentoo.org/ > For more information on this issue, kindly review: > http://bugs.gentoo.org/81745 > /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.24 > /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.24 > > > !!! ERROR: dev-cpp/gtkmm-2.8.1 failed. > Call stack: > ebuild.sh, line 1894: Called dyn_install > > !!! Aborting due to serious QA concerns with RUNPATH/RPATH > !!! If you need support, post the topmost build error, and the call stack if > relevant. > (In reply to comment #3) > I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when > I've changed it, but it's correct now, thanks (: > I've the same problem prepallstrip: strip: i686-pc-linux-gnu-strip --strip-unneeded usr/lib/libpangomm-1.4.so.1.0.25 usr/lib/libatkmm-1.6.so.1.0.25 usr/lib/libgdkmm-2.4.so.1.0.25 usr/lib/libgtkmm-2.4.so.1.0.25 making executable: /usr/lib/libatkmm-1.6.so.1.0.25 making executable: /usr/lib/libgdkmm-2.4.so.1.0.25 making executable: /usr/lib/libgtkmm-2.4.so.1.0.25 making executable: /usr/lib/libpangomm-1.4.so.1.0.25 QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 /var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.25 /var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.25 The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962 No longer a security issue with current stable portage, re-assigning to maintainer. @QA, Could you guys tell me how I can fix this? How do I even know if newer versions are affected? Thanks I really wish the things listed as being "QA notices" by Portage were actually things that the QA team knew about and had documentation for. I'll have to get back to you on what the check is doing as I've never really looked. they are already documented and have been for quite a long time ... just look in the doc/ subdir as for insecure runpaths, that's fairly obvious by the error message ... the libraries in question have DT runpath tags encoded in them that point to temporary directories Ok, but if when I emerge those packages and I don't have any QA warning, that means it has already been fixed, doesn't it? Alright, well, 2.8.* is no longer in portage and newer versions don't have that QA warning anymore. Closing Fixed. |
