Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 301344

Summary: media-sound/teamspeak-server-bin-3.0.0_beta12: scanelf: rpath_security_checks(): Security problem with relative DT_RPATH
Product: Gentoo Linux Reporter: Benjamin Börngen-Schmidt <benjamin>
Component: Current packagesAssignee: Christian Parpart (RETIRED) <trapni>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Benjamin Börngen-Schmidt 2010-01-18 09:05:43 UTC 
scanelf reports security problems, but installs fine.

Reproducible: Always

Steps to Reproduce:
1. emerge teamspeak3

Actual Results:  
 * teamspeak3-server_linux-amd64-3.0.0-beta12.tar.gz RMD160 SHA1 SHA256 size ;-) ...                                             [ ok ]
 * checking ebuild checksums ;-) ...                                                                                             [ ok ]
 * checking auxfile checksums ;-) ...                                                                                            [ ok ]
 * checking miscfile checksums ;-) ...                                                                                           [ ok ]

 * Adding user 'teamspeak3' to your system ...
 *  - Userid: 104
 *  - Shell: /sbin/nologin
 *  - Home: /dev/null
 *  - Groups: (none)
>>> Unpacking source...
>>> Unpacking teamspeak3-server_linux-amd64-3.0.0-beta12.tar.gz to /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/work
>>> Source unpacked in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/work
>>> Compiling source in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/work ...
>>> Source compiled.
>>> Test phase [not enabled]: media-sound/teamspeak-server-bin-3.0.0_beta12

>>> Install teamspeak-server-bin-3.0.0_beta12 into /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/ category media-sound
>>> Completed installing teamspeak-server-bin-3.0.0_beta12 into /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/

scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/libts3db_sqlite3.so
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/libts3db_mysql.so
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/ts3server-bin
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/libts3db_sqlite3.so
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/libts3db_mysql.so
scanelf: rpath_security_checks(): Security problem with relative DT_RPATH '.' in /var/tmp/portage/media-sound/teamspeak-server-bin-3.0.0_beta12/image/opt/teamspeak3-server/ts3server-bin

>>> Installing (1 of 1) media-sound/teamspeak-server-bin-3.0.0_beta12

>>> Recording media-sound/teamspeak-server-bin in "world" favorites file...
>>> Auto-cleaning packages...

>>> No outdated packages were found on your system.

 * GNU info directory index is up-to-date.

Expected Results:  
no scanelf problems

Portage 2.1.6.13 (default/linux/amd64/10.0/server, gcc-4.3.4, glibc-2.10.1-r1, 2.6.31-gentoo-r6 x86_64)
=================================================================
System uname: Linux-2.6.31-gentoo-r6-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-1.12.13
Timestamp of tree: Mon, 18 Jan 2010 08:20:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p35
dev-lang/python:     2.6.4
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -msse4 -msse4.1 -msse4.2 -mcx16 -msahf -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=core2 -msse4 -msse4.1 -msse4.2 -mcx16 -msahf -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks fixpackages paralell-fetch parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirror.netcologne.de/gentoo/ "
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="de"
MAKEOPTS="-j16"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="acl amd64 apache2 bzip2 cli cracklib crypt cups cxx dri fortran gdbm gpm iconv ipv6 jpeg mmx modules mudflap multilib mysql ncurses nls nptl nptlonly openmp pam pcre perl png pppd python readline reflection session snmp spl sse sse2 ssl subversion sysfs tcpd truetype unicode xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic 	authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user 	autoindex 	cache 	dav dav_fs dav_lock deflate dir disk_cache 	env expires ext_filter 	file_cache filter headers 	include info log_config logio 	mem_cache mime mime_magic negotiation 	rewrite setenvif speling status 	unique_id userdir usertrack vhost_alias" APACHE2_MPMS="itk" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Benjamin Börngen-Schmidt 2010-01-19 01:05:53 UTC 
This also aplies to beta-15 which was just released.
Comment 2 Christian Parpart (RETIRED) gentoo-dev 2010-01-19 09:21:51 UTC 
Hey Benjamin,

I'm aware of these RPATH issues.
These issues *must* be fixed by upstream as this is a binary-only release and the only thing we can do about, is, to ensure, that these ELFs are executed from within a safe directory. e.g. from / - as it's root.root owned already and should not contain any false shared objects.
Although, if an attacker really wants to inject a function, he can do easily using LD_PRELOAD environment variable.

Please contact upstream (and CC me) if you don't mind :)

Regards,
Christian Parpart.
Comment 3 SpanKY gentoo-dev 2010-02-14 00:55:04 UTC 
those statements arent entirely true ... any set*id binary that has insecure DT_RPATH's may be exploited.  i'm not saying teamspeak has set*id, just that file ownership doesnt really matter in these cases.

see Bug 260331 for some trivial examples
Comment 4 Christian Parpart (RETIRED) gentoo-dev 2010-09-11 16:07:48 UTC 
We ensure, that the TS3 server binary is just invoked from within the expected base path (that's only writable by root) and the binary has no suid bit set anyways.
If you have any further concerns, please reopen and specify your thoughts on this in detail, so we can come along with a solution that fits better :)