Bug 122875

Summary:	sci-libs/vtk-4.2.6 fails emerge due to insecure RUNPATH's
Product:	Gentoo Security	Reporter:	Craig Finch <oanjao>
Component:	Runpath Issues	Assignee:	Markus Dittrich (RETIRED) <markusle>
Status:	RESOLVED FIXED
Severity:	normal	CC:	cbm
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:	[ebuild?]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	81745
Attachments:	CMake cache file for VTK 4.2.6 patch for vtk-4.2.6.ebuild

Description Craig Finch 2006-02-14 19:56:13 UTC

Also posted as a comment to Bug 81745 as requested.

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/bin/vtk
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/bin/vtkpython
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib:/opt/blackdown-jdk-1.4.2.01/jre/lib/i386 usr/lib/vtk/libvtkHybridJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommon.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIO.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFiltering.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybrid.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImaging.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphics.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybridPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRendering.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkIOTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/opt/blackdown-jdk-1.4.2.01/jre/lib/i386:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingJava.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkGraphicsTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkftgl.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkHybridTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkCommonTCL.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin:/usr/X11R6/lib usr/lib/vtk/libvtkRenderingPythonTkWidgets.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkFilteringPython.so
.:/var/tmp/portage/vtk-4.2.6/work/VTK/bin usr/lib/vtk/libvtkImagingTCL.so

-----------------------------------------------------------------

Gentoo Base System version 1.4.16
Portage 2.0.53 (default-linux/x86/2005.0, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-gentoo-r9 i686)
=================================================================
System uname: 2.6.9-gentoo-r9 i686 AMD Athlon(tm) Processor
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-lang/python:     2.3.4
sys-apps/sandbox:    1.2.11
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.8.5-r1
sys-devel/binutils:  2.15.90.0.1.1-r3
sys-devel/libtool:   1.4.3-r4, 1.5.2-r7
virtual/os-headers:  2.4.21-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X alsa apm arts audiofile avi berkdb bitmap-fonts bonobo bzip2 cdr crypt cups curl emboss encode esd exif expat f77 fam ffmpeg flac foomaticdb fortran gcl gdbm gif glut gmp gnome gpm gstreamer gtk gtk2 gtkhtml guile idn imagemagick imlib ipv6 java joystick jpeg lcms libg++ libwww mad mhash mikmod ming mng motif mp3 mpeg mysql ncurses nls ogg oggvorbis openal opengl oss pam pcre pdflib perl png ppds python qt quicktime readline scanner sdl slang spell ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts udev vorbis xml xml2 xmms xv xvid zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 1 Colin Macdonald 2006-02-22 21:06:22 UTC

I just rebuild vtk but I cannot reproduce this with USE="java python tcltk threads -doc -examples -mpi -patented".  What are your use flags for vtk?

Comment 2 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-22 21:25:37 UTC

markusle please verify and provide new ebuilds if needed, thx

Comment 3 Markus Dittrich (RETIRED) gentoo-dev

2006-02-22 22:06:33 UTC

(In reply to comment #2)
> markusle please verify and provide new ebuilds if needed, thx
> 

I'll have a look at it soon! Thanks for reporting.

Thanks,
Markus

Comment 4 Markus Dittrich (RETIRED) gentoo-dev

2006-02-24 07:38:56 UTC

Unfortunately, I can not reproduce this here with identical use flags to
yours. Which version of cmake are you currently running? Also, could 
you please post the cmake cache file CMakeCache.txt (should be located
at /var/tmp/portage/vtk-4.2.6/work/VTK).
Finally, it looks like your system is somewhat outdated, e.g. python, binutils, ...
It might be a good idea to bring it up to the current x86 and then try again.

Thanks,
Markus

Comment 5 Craig Finch 2006-02-24 07:57:57 UTC

Created attachment 80605 [details]
CMake cache file for VTK 4.2.6

cmake version 2.0.3
See attached CMakeCache.txt

I will try updating the system this weekend and re-emerge VTK.

  Craig

Comment 6 Markus Dittrich (RETIRED) gentoo-dev

2006-02-25 04:21:26 UTC

Created attachment 80679 [details, diff]
patch for vtk-4.2.6.ebuild

Thanks for posting your cache file and I can see now where the problem
might be. Please try the attached patch for the ebuild and report 
back.

Thanks,
Markus

Comment 7 Craig Finch 2006-02-25 16:01:08 UTC

I got VTK to emerge correctly.  I tried upgrading binutils and python as recommended, but vtk still had the insecure RUNPATH problem.  I then upgraded cmake to the latest stable version and I was able to install successfully.  All this took place without the patch.  So, it appears that cmake 2.0.6 is necessary to build VTK.  Markus, sorry I was not able to try out your patch.
  -- Craig

Comment 8 Markus Dittrich (RETIRED) gentoo-dev

2006-02-26 11:12:12 UTC

(In reply to comment #7)
> I got VTK to emerge correctly. 

Hi Craig,

I am glad that upgrading cmake took care of the problem. In any case,
I applied the patch to the ebuild since it should prevent similar things from
happening in the future.

@security.g.o: It looks like the insecure RUNPATH problems have been
resolved.

Thanks,
Markus

Comment 9 solar (RETIRED) gentoo-dev

2006-03-05 08:03:16 UTC

The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962

Comment 10 Markus Dittrich (RETIRED) gentoo-dev

2006-03-05 08:43:25 UTC

(In reply to comment #9)
> The next ~arch portage revision will auto repair evil rpaths and not bail. 
> Maintainers should still fix the packages they maintain as portage will only
> die
> with FEATURES=stricter (but that is a maintainer & QA problem) no longer
> security@
> 
> http://bugs.gentoo.org/show_bug.cgi?id=124962
> 

Hi solar,

Thank you very much for the info and for pointing out the relevant
bug.

best,
Markus

Comment 11 Markus Dittrich (RETIRED) gentoo-dev

2006-08-07 17:32:28 UTC

Hi security folks,

Can this bug be closed? It looks like the issue has
been resolved and version 4.2.6. will be removed
from the tree in the very near future anyway.

Thanks,
Markus

Comment 12 Jakub Moc (RETIRED) gentoo-dev

2006-09-21 03:49:41 UTC

No longer a security issue with current stable portage, re-assigning to maintainer.

Just close it if it's no longer reproducable with current versions in portage.

Comment 13 Markus Dittrich (RETIRED) gentoo-dev

2006-09-21 05:25:32 UTC

(In reply to comment #12)
> No longer a security issue with current stable portage, re-assigning to
> maintainer.
> 
> Just close it if it's no longer reproducable with current versions in portage.
> 

Thanks Jakub!

Current versions are fine to the best of my knowledge, hence I'll close
this one.

best,
Markus