| Summary: | dev-qt/qtwebkit:5 contains insecure RUNPATHs | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | M. B. <tomboy64> |
| Component: | Current packages | Assignee: | Qt Bug Alias <qt> |
| Status: | RESOLVED FIXED | ||
| Severity: | QA | CC: | esigra, gentoo.org, losier.cc, nikoli, prefix, uwelk |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 454132, 543326 | ||
| Attachments: | qtwebkit-5.3.2-rpath.patch | ||
|
Description
M. B.
2013-04-17 10:37:20 UTC
is 5.1.0 affected? yes. strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment -R .GCC.command.line -R .note.gnu.gold-version usr/lib64/qt5/libexec/QtWebProcess usr/lib64/libQt5WebKitWidgets.so.5.1.0 usr/lib64/libQt5WebKit.so.5.1.0 Auto fixing rpaths for /var/tmp/portage/dev-qt/qtwebkit-5.1.0/image/usr/lib64/qt5/libexec/QtWebProcess * QA Notice: The following files contain insecure RUNPATHs * Please file a bug about this at http://bugs.gentoo.org/ * with the maintaining herd of the package. * /var/tmp/portage/dev-qt/qtwebkit-5.1.0/image/usr/lib64/qt5/libexec/QtWebProcess * Same with 5.2.0_beta1 ? Ask me again when #489416 is resolved ;) still an issue. strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment -R .GCC.command.line -R .note.gnu.gold-version usr/lib64/qt5/qml/QtWebKit/libqmlwebkitplugin.so usr/lib64/libQt5WebKit.so.5.2.0 usr/lib64/libQt5WebKitWidgets.so.5.2.0 usr/lib64/qt5/qml/QtWebKit/experimental/libqmlwebkitexperimentalplugin.so usr/lib64/qt5/libexec/QtWebProcess Auto fixing rpaths for /var/tmp/portage/dev-qt/qtwebkit-5.2.0_beta1/image/usr/lib64/qt5/libexec/QtWebProcess * QA Notice: The following files contain insecure RUNPATHs * Please file a bug about this at http://bugs.gentoo.org/ * with the maintaining herd of the package. * /var/tmp/portage/dev-qt/qtwebkit-5.2.0_beta1/image/usr/lib64/qt5/libexec/QtWebProcess * Created attachment 385892 [details, diff]
qtwebkit-5.3.2-rpath.patch
The attached patch (variants of which are floating around other downstreams) resolves the issue locally. qtwebkit does not install default_post.prf so this should not affect qmake behaviour out of portage.
Unfortunately Gentoo prefix needs the rpath (at least it was needed in qt 4.8, and I copied the same logic in qt5-build.eclass but qtwebkit build system doesn't respect that). So, assuming prefix still needs it, a more conservative fix would be replacing that line with: contains(QT_CONFIG, rpath): CONFIG += rpath But of course this will still produce an insecure rpath on prefix... That's a shame, I guess I'll keep digging. At least Portage strips the offending RPATH though. The wrong rpath is added in Tools/qmake/mkspecs/features/rpath.prf (In reply to Davide Pesavento from comment #9) > The wrong rpath is added in Tools/qmake/mkspecs/features/rpath.prf If we remove it there, will it still be broken for prefix? I can't test. @prefix do you have any interest in qt5? I want to fix this bug but don't want to cause a problem for you later since I can't test. We don't have the resources to go after this. Judging fromt his bug, however, it seems that if you remove the incorrect rpath, it should work for us. I assume it works for your -- which is most important. Do what you think is best to do, thanks for considering. In overlay: https://gitweb.gentoo.org/proj/qt.git/commit/?id=4b376d4e6d5163cc9d0c9f8f4fd9c3490a210d8f While at it, these files also have wrong rpaths: $ scanelf -Ryrq . $ORIGIN/../../lib ./usr/lib64/qt5/qml/QtWebKit/libqmlwebkitplugin.so $ORIGIN/../../lib ./usr/lib64/qt5/qml/QtWebKit/experimental/libqmlwebkitexperimentalplugin.so They don't trigger the QA warning because they use $ORIGIN instead of an absolute path, but they're still wrong once installed, that path only makes sense in the build environment. Just need to remove CONFIG += rpath in Source/WebKit/qt/declarative/{public.pri,experimental/experimental.pri}, right?
Fixed in cvs (5.4.2, no revbump) and git. |
