Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 123053

Summary: sci-libs/comedilib-0.7.21 RUNPATH bug
Product: Gentoo Security Reporter: MAL <mal>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blg, caleb, lema, patrizio.bassi
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    
Attachments: fix rpath problem - comedilib-0.7.21
fix comedi_calibrate/Makefile.in to respect DESTDIR in install-data-local
2nd fix rpath problem - comedilib-0.7.21

Description MAL 2006-02-16 09:33:38 UTC
making executable: /usr/lib/libcomedi.so.0.0.0

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/comedilib-0.7.21/image//usr/lib usr/lib/python2.4/site-packages/_comedi.so
/var/tmp/portage/comedilib-0.7.21/image//usr/lib usr/bin/comedi_calibrate
/var/tmp/portage/comedilib-0.7.21/image//usr/lib usr/bin/comedi_test


Bug #81745 said report each application as a new bug.
I just upgraded python from 2.2 to 2.4 (old embedded system being upgraded), and this was one of the packages rebuilt by python-updater.


emerge info:

Portage 2.0.54 (default-linux/x86/2005.1, gcc-3.2.3, glibc-2.3.2-r3, 2.6.15-procyon1-i870 i686)
=================================================================
System uname: 2.6.15-procyon1-i870 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz
Gentoo Base System version 1.6.14
dev-lang/python:     2.2.3-r5, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.59-r5
sys-devel/automake:  1.8.5-r1
sys-devel/binutils:  2.15.90.0.1.1-r3
sys-devel/libtool:   1.4.3-r1, 1.5.2-r7
virtual/os-headers:  2.4.19-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks notitles sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.heanet.ie/pub/gentoo/"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.2/gentoo-portage"
USE="x86 apache2 apm berkdb directfb dvd dvdr dvdread edl fbcon gdbm gif jpeg mmx mmx2 mpeg ncurses nls oss pam png python readline rtc sse sse2 ssl truetype zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 1 solar (RETIRED) gentoo-dev 2006-03-05 08:03:19 UTC
The next ~arch portage revision will auto repair evil rpaths and not bail. 
Maintainers should still fix the packages they maintain as portage will only die
with FEATURES=stricter (but that is a maintainer & QA problem) no longer security@

http://bugs.gentoo.org/show_bug.cgi?id=124962
Comment 2 Patrizio Bassi 2006-03-06 00:57:42 UTC
same here.
Comment 3 Ben Gardiner 2006-03-08 07:40:58 UTC
Created attachment 81688 [details]
fix rpath problem - comedilib-0.7.21
Comment 4 Ben Gardiner 2006-03-08 07:41:44 UTC
I think I have a fix.
What seems to happen is that the autotools-based build uses $prefix to set the rpath of libcomedi.la when it is linked (with libtool). This path is used to set the rpath of comedi_calibrate et. al. during the 'make install' (which also uses libtool for install). 
The solution is to configure the package with --prefix=/usr and install it using DESTDIR=${D}. Note that the package still needs to be configured with --localstatedir=${D}/var because the automake-based makefile, comedi_calibrate/Makefile.am does not respect DESTDIR for the install-data-local target.
Also, I have changed the 'make' command in src_compile() to 'emake || die'.
HTH,
Ben
Comment 5 Ben Gardiner 2006-03-08 08:27:27 UTC
I have posted a bug at comedi.org about the target, install-data-local, not respecting DESTDIR.

https://bugzilla.comedi.org/cgi-bin/bugzilla/show_bug.cgi?id=213
Comment 6 SpanKY gentoo-dev 2006-03-08 08:30:35 UTC
yeah, this ebuild's src_compile is way broken

the updated ebuild should also *not* pass $D to configure ... patch the makefiles, dont hack configure
Comment 7 Ben Gardiner 2006-03-08 09:47:15 UTC
Created attachment 81698 [details, diff]
fix comedi_calibrate/Makefile.in to respect DESTDIR in install-data-local

(In reply to comment #6)
> yeah, this ebuild's src_compile is way broken
> 
> the updated ebuild should also *not* pass $D to configure ... patch the
> makefiles, dont hack configure
> 

Definitely. I realize that passing ${D} to configure _is bad_; however, the option --localstatedir is considered only by one target in one makefile and the target in an install hook. The whole subdir is phased out in the CVS version; so it's not a big deal to 'hack' ./configure. But you're the boss: Here is a patch for the makefile.
Comment 8 Ben Gardiner 2006-03-08 09:53:40 UTC
Created attachment 81699 [details]
2nd fix rpath problem - comedilib-0.7.21

updated the ebuild to stop passing ${D} to configure and apply the above patch
Comment 9 SpanKY gentoo-dev 2006-03-08 15:20:01 UTC
thanks, patches/ebuilds look good to me ... up to the maintainer to update the tree now
Comment 10 Caleb Tennis (RETIRED) gentoo-dev 2006-03-08 15:32:07 UTC
he's right - that's me.
Comment 11 Patrizio Bassi 2006-03-12 00:28:52 UTC
fix works, can you commit to cvs?
Comment 12 Caleb Tennis (RETIRED) gentoo-dev 2006-03-13 09:52:25 UTC
removed comedi, and as such have removed comedilib from portage.