|Summary:||dev-cpp/gtkmm-2.8.1 insecure RUNPATHs|
|Product:||Gentoo Security||Reporter:||lynczu <lynczu>|
|Component:||Runpath Issues||Assignee:||GNOME C++ Bindings Maintainers (OBSOLETE) <gnome-mm+disabled>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description lynczu 2006-01-30 22:56:06 UTC
prepallstrip: strip: i686-pc-linux-gnu-strip --strip-unneeded /usr/lib/libatkmm-1.6.so.1.0.24 /usr/lib/libgdkmm-2.4.so.1.0.24 /usr/lib/libgtkmm-2.4.so.1.0.24 /usr/lib/libpangomm-1.4.so.1.0.24 removing executable bit: /usr/lib/libatkmm-1.6.la removing executable bit: /usr/lib/libgdkmm-2.4.la removing executable bit: /usr/lib/libgtkmm-2.4.la removing executable bit: /usr/lib/libpangomm-1.4.la QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.24 /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.24 !!! ERROR: dev-cpp/gtkmm-2.8.1 failed. Call stack: ebuild.sh, line 1894: Called dyn_install !!! Aborting due to serious QA concerns with RUNPATH/RPATH !!! If you need support, post the topmost build error, and the call stack if relevant.
Comment 1 lynczu 2006-01-30 23:22:27 UTC
workaround can be found here - http://forums.gentoo.org/viewtopic-p-3072775.html#3072775
Comment 2 solar (RETIRED) 2006-01-31 08:51:17 UTC
using /tmp for your /var/tmp via a symlink and or setting it via portage is a bad idea.
Comment 3 lynczu 2006-01-31 09:21:47 UTC
I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when I've changed it, but it's correct now, thanks (:
Comment 4 fabio 2006-02-21 14:25:23 UTC
(In reply to comment #0) > prepallstrip: > strip: i686-pc-linux-gnu-strip --strip-unneeded > /usr/lib/libatkmm-1.6.so.1.0.24 > /usr/lib/libgdkmm-2.4.so.1.0.24 > /usr/lib/libgtkmm-2.4.so.1.0.24 > /usr/lib/libpangomm-1.4.so.1.0.24 > removing executable bit: /usr/lib/libatkmm-1.6.la > removing executable bit: /usr/lib/libgdkmm-2.4.la > removing executable bit: /usr/lib/libgtkmm-2.4.la > removing executable bit: /usr/lib/libpangomm-1.4.la > > QA Notice: the following files contain insecure RUNPATH's > Please file a bug about this at http://bugs.gentoo.org/ > For more information on this issue, kindly review: > http://bugs.gentoo.org/81745 > /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.24 > /tmp/portage/gtkmm-2.8.1/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.24 > > > !!! ERROR: dev-cpp/gtkmm-2.8.1 failed. > Call stack: > ebuild.sh, line 1894: Called dyn_install > > !!! Aborting due to serious QA concerns with RUNPATH/RPATH > !!! If you need support, post the topmost build error, and the call stack if > relevant. > (In reply to comment #3) > I didin't pay attention that I've got PORTAGE_TMPDIR set to /tmp, no idea when > I've changed it, but it's correct now, thanks (: > I've the same problem prepallstrip: strip: i686-pc-linux-gnu-strip --strip-unneeded usr/lib/libpangomm-1.4.so.1.0.25 usr/lib/libatkmm-1.6.so.1.0.25 usr/lib/libgdkmm-2.4.so.1.0.25 usr/lib/libgtkmm-2.4.so.1.0.25 making executable: /usr/lib/libatkmm-1.6.so.1.0.25 making executable: /usr/lib/libgdkmm-2.4.so.1.0.25 making executable: /usr/lib/libgtkmm-2.4.so.1.0.25 making executable: /usr/lib/libpangomm-1.4.so.1.0.25 QA Notice: the following files contain insecure RUNPATH's Please file a bug about this at http://bugs.gentoo.org/ For more information on this issue, kindly review: http://bugs.gentoo.org/81745 /var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgdkmm-2.4.so.1.0.25 /var/tmp/portage/gtkmm-2.8.3/image//usr/lib usr/lib/libgtkmm-2.4.so.1.0.25
Comment 5 solar (RETIRED) 2006-03-05 08:03:13 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. Maintainers should still fix the packages they maintain as portage will only die with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@ http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 6 Jakub Moc (RETIRED) 2006-09-21 03:47:19 UTC
No longer a security issue with current stable portage, re-assigning to maintainer.
Comment 7 Rémi Cardona 2008-04-12 21:10:01 UTC
@QA, Could you guys tell me how I can fix this? How do I even know if newer versions are affected? Thanks
Comment 8 Mark Loeser (RETIRED) 2008-04-13 01:03:26 UTC
I really wish the things listed as being "QA notices" by Portage were actually things that the QA team knew about and had documentation for. I'll have to get back to you on what the check is doing as I've never really looked.
Comment 9 SpanKY 2008-04-19 22:28:09 UTC
they are already documented and have been for quite a long time ... just look in the doc/ subdir as for insecure runpaths, that's fairly obvious by the error message ... the libraries in question have DT runpath tags encoded in them that point to temporary directories
Comment 10 Rémi Cardona 2008-05-02 08:53:53 UTC
Ok, but if when I emerge those packages and I don't have any QA warning, that means it has already been fixed, doesn't it?
Comment 11 Rémi Cardona 2008-05-27 06:53:55 UTC
Alright, well, 2.8.* is no longer in portage and newer versions don't have that QA warning anymore. Closing Fixed.