Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 140295

Summary: dev-db/qdbm-1.8.48(stable)-1.8.53 appears to have insecure RUNPATH issues
Product: Gentoo Security Reporter: Daniel Black (RETIRED) <dragonheart>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hattya, nichoj
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.gentoo.org/show_bug.cgi?id=108534
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    
Attachments: qdbm-runpath2.diff

Description Daniel Black (RETIRED) gentoo-dev 2006-07-13 20:59:24 UTC 
qdbm-1.8.48 (stable) contains RUNPATH issues as a result of LD_RUN_PATH=/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib

qdbm-1.8.49 and qdbm-1.8.53 also suffer the same problem.
same as bug 108534 but different version

From emerge:
ln -f -s libqdbm.so.12.9.0 libqdbm.so
LD_RUN_PATH=/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib i686-pc-linux-gnu-gcc -Wall -ansi -pedantic -fPIC -fsigned-char -O2 -fomit-frame-pointer -DNDEBUG -o dpmgr dpmgr.o -L. -L/var/tmp/portage/qdbm-1.8.48/homedir/lib -L/usr/local/lib -lqdbm -lbz2 -lz -lpthread -lc


QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 with the maintaining herd of the package.
 Summary: dev-db/qdbm: insecure RPATH /lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dpmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dptsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crtsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/rlmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/hvmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/cbcodec
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vlmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vltsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odidx
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dpmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/dptsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/crtsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/rlmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/hvmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/cbcodec
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vlmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/vltsv
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odmgr
/lib:/usr/lib:/var/tmp/portage/qdbm-1.8.48/homedir/lib:/usr/local/lib:/usr/lib usr/bin/odidx

# emerge --info
Portage 2.1-r1 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.5-r2, 2.6.14-hardened-r5 i686)
=================================================================
System uname: 2.6.14-hardened-r5 i686 Pentium III (Coppermine)
Gentoo Base System version 1.6.15
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.3.5, 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
Comment 1 Daniel Black (RETIRED) gentoo-dev 2006-07-13 21:00:30 UTC 
Created attachment 91671 [details, diff]
qdbm-runpath2.diff

a fix
Comment 2 Daniel Black (RETIRED) gentoo-dev 2006-09-06 17:46:28 UTC 
*** Bug 146623 has been marked as a duplicate of this bug. ***
Comment 3 Akinori Hattori gentoo-dev 2006-10-30 03:59:43 UTC 
arm, s390 and sh need to stabilize 1.8.70-r1 to fix this bug.
Comment 4 Daniel Black (RETIRED) gentoo-dev 2006-12-27 11:26:16 UTC 
qdbm-1.8.70-r1 all stable as per bug 149578

GLSA vote no as portage has fixed runpath issues before install for ages and its pretty hard to exploit.

Time for closure and qdbm-1.8.46 removal (nothing explictly needs this version)?
Comment 5 Daniel Black (RETIRED) gentoo-dev 2006-12-31 04:15:53 UTC 
Closing - thanks Tavis