Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 510960

Summary: sys-libs/lib-compat multiple vulnerabilities
Product: Gentoo Security Reporter: Ulrich Müller <ulm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: major CC: base-system, games, vapier
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=504952
https://bugs.gentoo.org/show_bug.cgi?id=506226
Whiteboard: B1? [ebuild]
Package list:
Runtime testing required: ---

Description Ulrich Müller gentoo-dev 2014-05-21 16:58:51 UTC
sys-libs/lib-compat ships a libc from 2000 or earlier (exact version unknown), so it can be expected to suffer from many of these vulnerabilities:
<https://bugs.gentoo.org/buglist.cgi?email1=security%40gentoo.org&emailassigned_to1=1&emailtype1=substring&list_id=2354642&query_format=advanced&resolution=---&resolution=FIXED&short_desc=sys-libs%2Fglibc&short_desc_type=allwordssubstr>
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-05-22 08:03:44 UTC
My first thought would be: hard-mask it and everything that depends on it. I can't think of any other solution.
Comment 2 Ulrich Müller gentoo-dev 2014-09-02 20:03:43 UTC
(In reply to Michał Górny from comment #1)
> My first thought would be: hard-mask it and everything that depends on it. I
> can't think of any other solution.

lib-compat and its reverse dependencies are package masked since some time. Here is the list of reverse dependencies for emul-linux-x86-compat (as far as they have not been masked for other reasons already):

   dev-lang/dmd-bin
   games-action/mutantstorm-demo (*)
   games-action/rune (*)
   games-action/spacetripper-demo (*)
   games-fps/enemy-territory-truecombat
   games-fps/ut2003 (*)
   games-puzzle/drod-bin
   games-rpg/nwn
   games-server/nwn-ded (*)
   games-server/ut2003-ded (*)
   games-strategy/darwinia (*)
   games-strategy/darwinia-demo (*)
   mail-client/novell-groupwise-client[multilib]
   media-sound/aucdtect (*)
   media-video/binkplayer
   sci-chemistry/cara-bin
   sci-chemistry/icm[32bit] (*)
   sci-chemistry/icm-browser

What is surprising is that the packages marked with (*) don't depend on lib-compat or libstdc++-v3 on x86. Therefore I'm reluctant to package.mask (or package.use.mask) them in the amd64 profile.

@multilib: Is it still planned to update dependencies for these packages? The status page in the wiki was last updated in July.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-09-02 20:37:10 UTC
Yes, we're planning to update the deps. However, at this moment nobody in the team can afford to work on this.

On a side note, most of those dependencies are likely completely misguided. From my attempts at various games, none of the packages depending on lib-compat was actually linking against anything in it...
Comment 4 Jonathan Callen (RETIRED) gentoo-dev 2014-09-03 00:46:37 UTC
Of the packages you listed, the following actually do link against libstdc++.so.5:

   dev-lang/dmd-bin-1.016
   games-fps/enemy-territory-truecombat-0.49b
   games-puzzle/drod-bin
   games-strategy/darwinia-1.3.0
   games-strategy/darwinia-1.4.0_beta9
   games-strategy/darwinia-demo-1.3.0
   media-video/binkplayer-1.9p
   sci-chemistry/cara-bin-1.8.4

The following do *not* link against libstdc++.so.5, and probably should not depend on it (testing done by checking contents of distfiles):

   dev-lang/dmd-bin-2.008-r1
   games-action/rune-1.07-r2
   games-action/spacetripper-demo-1
   games-fps/ut2003-2225-r4
   games-rpg/nwn-1.68-r5
   games-rpg/nwn-1.68-r6
   games-rpg/nwn-1.69-r1
   games-server/nwn-ded-1.68-r1
   games-server/nwn-ded-1.69
   games-server/ut2003-ded-2225-r2
   media-sound/aucdtect-0.8.2
   media-video/binkplayer-1.99w

The following needs a file only provided by emul-linux-x86-compat or lib-compat and should therefore probably be masked:

   games-action/mutantstorm-demo-1.33 (needs libstdc++-libc6.2-2.so.3)

The following are fetch restricted, so I cannot test them:

   mail-client/novell-groupwise-client-8.0.2.96933
   sci-chemistry/icm-3.7.2e
   sci-chemistry/icm-3.7.3b
   sci-chemistry/icm-browser-3.6.1i
Comment 5 Ulrich Müller gentoo-dev 2014-09-08 21:01:23 UTC
All packages formerly depending on emul-linux-x86-compat have been updated to depend on lib-compat or libstdc++-v3.

sys-libs/lib-compat and its reverse dependencies as well as app-emulation/emul-linux-x86-compat are package.masked now.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2015-06-02 09:01:25 UTC
The emul-linux-x86 part is gone.
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-06-26 15:30:33 UTC
Packages long gone.
Comment 8 Ulrich Müller gentoo-dev 2016-06-26 15:34:29 UTC
(In reply to Michał Górny from comment #7)
> Packages long gone.

sys-libs/lib-compat is still in the tree.
Comment 9 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-06-26 15:37:09 UTC
Sorry, haven't read throughly.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 03:23:36 UTC
 * These packages depend on sys-libs/lib-compat:
games-action/mutantstorm-demo-1.33 (sys-libs/lib-compat)
games-action/phobiaii-1.1 (sys-libs/lib-compat)
games-fps/rtcw-1.41b (sys-libs/lib-compat)
games-fps/unreal-226 (sys-libs/lib-compat)
sys-block/afacli-4.1 (sys-libs/lib-compat)
sys-libs/lib-compat-loki-0.2-r1 (sys-libs/lib-compat)

Still some rdeps in the tree.  RTCW and Unreal both have standing security bugs as well.  Maybe it is time to finally clean these?
Comment 11 Ulrich Müller gentoo-dev 2016-11-30 07:26:27 UTC
(In reply to Aaron Bauman from comment #10)
>  * These packages depend on sys-libs/lib-compat:
> games-action/mutantstorm-demo-1.33 (sys-libs/lib-compat)
> games-action/phobiaii-1.1 (sys-libs/lib-compat)
> games-fps/rtcw-1.41b (sys-libs/lib-compat)
> games-fps/unreal-226 (sys-libs/lib-compat)
> sys-block/afacli-4.1 (sys-libs/lib-compat)
> sys-libs/lib-compat-loki-0.2-r1 (sys-libs/lib-compat)

Also (indirectly via lib-compat-loki):
  games-strategy/heroes3
  games-strategy/heroes3-demo
  games-strategy/smac

> Still some rdeps in the tree.  RTCW and Unreal both have standing security
> bugs as well.  Maybe it is time to finally clean these?

CCing maintainers.

maintainer-needed: sys-block/afacli
vapier: games-fps/unreal
games: all others
Comment 12 James Le Cuirot gentoo-dev 2016-11-30 11:09:11 UTC
(In reply to Aaron Bauman from comment #10)
> Still some rdeps in the tree.  RTCW and Unreal both have standing security
> bugs as well.  Maybe it is time to finally clean these?

These are both packages I would like to take on but haven't had the time yet. I did a lot of work on them in bug reports before I became a dev. I fear there's nothing we can do about the security issues though. A different approach needs to be taken with games, it's not like we can just say "oh play another game then".
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 11:42:20 UTC
(In reply to James Le Cuirot from comment #12)
> (In reply to Aaron Bauman from comment #10)
> > Still some rdeps in the tree.  RTCW and Unreal both have standing security
> > bugs as well.  Maybe it is time to finally clean these?
> 
> These are both packages I would like to take on but haven't had the time
> yet. I did a lot of work on them in bug reports before I became a dev. I
> fear there's nothing we can do about the security issues though. A different
> approach needs to be taken with games, it's not like we can just say "oh
> play another game then".

I agree, a different approach is needed. A security mask would suffice, but considering the length of the mask it does not seem ideal.  Is an overlay a viable option?
Comment 14 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-30 12:31:23 UTC
(In reply to James Le Cuirot from comment #12)
> (In reply to Aaron Bauman from comment #10)
> > Still some rdeps in the tree.  RTCW and Unreal both have standing security
> > bugs as well.  Maybe it is time to finally clean these?
> 
> These are both packages I would like to take on but haven't had the time
> yet. I did a lot of work on them in bug reports before I became a dev. I
> fear there's nothing we can do about the security issues though. A different
> approach needs to be taken with games, it's not like we can just say "oh
> play another game then".

Regarding rtcw, I suggest switching over to iortcw:

https://github.com/iortcw/iortcw

It uses the original rtcw game files but has a very much improved engine including alsa support (which I badly missed in the original game).

I started creating an ebuild but only got the single player stuff working:

https://www.gentoofan.org/gentoo/poly-c_overlay/games-fps/rtcw/
Comment 15 James Le Cuirot gentoo-dev 2016-11-30 12:37:16 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #14)
> Regarding rtcw, I suggest switching over to iortcw:
> 
> https://github.com/iortcw/iortcw
> 
> It uses the original rtcw game files but has a very much improved engine
> including alsa support (which I badly missed in the original game).
> 
> I started creating an ebuild but only got the single player stuff working:
> 
> https://www.gentoofan.org/gentoo/poly-c_overlay/games-fps/rtcw/

With my brain in work mode, I got confused by the mention of Unreal and was thinking of RTNP (which never hit the tree) but RTCW is also something I used to play and never finished. I have heard of iortcw so I'll check it out. I too remember the OSS pain as it uses some special mode that ALSA/PA doesn't emulate.
Comment 16 Ulrich Müller gentoo-dev 2017-06-16 08:52:46 UTC
sys-libs/lib-compat-1.5 installs only libstdc++-libc6.2-2.so.3 (aka libstdc++-3-libc6.2-2-2.10.0.so) which appears to be the only library needed by reverse dependencies. This library was shipped with gcc-2.95.3.

@Security team: Can you check if there are any known vulnerabilities in libstdc++-libc6.2-2.so.3? Otherwise, we could unmask and stabilise lib-compat-1.5.

Alternatively, we could move what is now lib-compat-1.5 to a new sys-libs/libstdc++-v2-bin-2.95.3 package and last-rite sys-libs/lib-compat. Maybe that would be a more clear-cut solution.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2018-01-30 01:02:33 UTC
Package is still masked along with other games that are still vulnerable.  GCC 2.9.x is masked as well in tree due to unresolved security issues.  I am not sure leaving them in tree is best.  Games are such a pain. Thoughts?
Comment 18 James Le Cuirot gentoo-dev 2018-01-30 10:03:13 UTC
(In reply to Aaron Bauman from comment #17)
> Package is still masked along with other games that are still vulnerable. 
> GCC 2.9.x is masked as well in tree due to unresolved security issues.  I am
> not sure leaving them in tree is best.  Games are such a pain. Thoughts?
It's probably safe to say that libstdc++-libc6.2-2.so.3 is vulnerable and that's not going to change. Our stance, as always, is that even vulnerable games can remain with a mask and this allows users to decide whether it is worth the risk. This is a good compromise and I don't wish to change it. At least something can be done in the case of RTCW but this requires time I currently do not have.
Comment 19 Larry the Git Cow gentoo-dev 2019-12-08 21:15:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010852d13e7f1c59bc11ab2e3efe806dfacebaf4

commit 010852d13e7f1c59bc11ab2e3efe806dfacebaf4
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-12-08 21:13:32 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-12-08 21:13:32 +0000

    games-*/*: drop last-rited pkgs
    
    Bug: https://bugs.gentoo.org/515926
    Bug: https://bugs.gentoo.org/510960
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 games-action/phobiaii/Manifest                     |   1 -
 games-action/phobiaii/metadata.xml                 |   8 -
 games-action/phobiaii/phobiaii-1.1-r1.ebuild       |  36 ----
 games-fps/rtcw/Manifest                            |   2 -
 games-fps/rtcw/files/wolf-ded.rc                   |  24 ---
 games-fps/rtcw/metadata.xml                        |  11 --
 games-fps/rtcw/rtcw-1.41b.ebuild                   |  93 ---------
 games-fps/unreal/Manifest                          |   3 -
 games-fps/unreal/metadata.xml                      |  21 ---
 games-fps/unreal/unreal-226.ebuild                 |  85 ---------
 games-strategy/heroes3/Manifest                    |   2 -
 games-strategy/heroes3/files/heroes3-wrapper.sh    |  13 --
 games-strategy/heroes3/heroes3-1.3.1a-r2.ebuild    | 208 ---------------------
 games-strategy/heroes3/metadata.xml                |  13 --
 games-strategy/smac/Manifest                       |   2 -
 games-strategy/smac/metadata.xml                   |   8 -
 games-strategy/smac/smac-6.0a.ebuild               | 102 ----------
 profiles/package.mask                              |  14 --
 sys-libs/lib-compat-loki/Manifest                  |   1 -
 .../lib-compat-loki/lib-compat-loki-0.2-r1.ebuild  |  39 ----
 sys-libs/lib-compat-loki/metadata.xml              |   8 -
 sys-libs/lib-compat/Manifest                       |   1 -
 sys-libs/lib-compat/lib-compat-1.5.ebuild          |  16 --
 sys-libs/lib-compat/metadata.xml                   |   8 -
 24 files changed, 719 deletions(-)
Comment 20 Ulrich Müller gentoo-dev 2019-12-09 07:25:12 UTC
Package removed.