Summary: | sys-cluster/util-vserver should not depend on dev-libs/dietlibc | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Current packages | Assignee: | Patrice Clement <monsieurp> |
Status: | RESOLVED OBSOLETE | ||
Severity: | enhancement | CC: | ccx, hparker, jstein, pacho, sandino, treecleaner, trs |
Priority: | Normal | Keywords: | PMASKED, PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/11535 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 585746 | ||
Attachments: | ebuild with dietlibc USE flag |
Description
Jeroen Roovers (RETIRED)
2014-01-16 14:37:32 UTC
Daniel Hozac has stated it's a security issue. From #vserver on OFTC: 2014-02-20 07:01:51 <alpha_one_x86> daniel_hozac: No way to have verser-utils on glibc no dietlibc? 2014-02-20 07:02:36 <daniel_hozac> there is, just be aware that it is untested and insecure. I can't find any recent mailing list posts about it. Also explained at: https://bugs.gentoo.org/show_bug.cgi?id=423799#c6 This would be interesting to achieve as our dietlibc package is completely unmaintained and has many unresolved opened bugs :/ >=sys-cluster/util-vserver-0.30.216_pre3120 compiles fine with =dev-libs/dietlibc-0.34 (Bug 676460)
The reason util-vserver should depend on dietlibc is explained in this thread http://archives.linux-vserver.org/201112/0046.html On 19/12/11 08:02, Herbert Poetzl wrote:
> dietlibc isn't just used to replace glibc, it is used to
> build static binaries which are actually 'static'
> note that glibc cannot build self contained binaries
> anymore, even if you build them 'statically' they will
> dynamically load resolver libraries, which in the case
> of guest management might be from the host or from the
> guest
More from the same Herbert Poetzl's answer:
> ...anytime you start or enter the guest, you
> have a certain chance that the host will execute some
> code from the guest system (nss) which in turn gives
> guest root a good chance to do evil things on the host
> and even if security is not a concern in your case, you
> might end up with unexpected failures
Created attachment 570836 [details]
ebuild with dietlibc USE flag
This ebuild used dietlibc USE flag.
If dietlibc USE flag is not set util-vserver will be compiled with --disable-dietlibc and dietlibc-includes patch will not be applied.
I have tested it on amd64 with binutils 2.32, dietlibc 0.34.
USE=-dietlibc and USE=dietlibc; both compile correctly.
Package removed. |