Bug 76423

Summary:	set[ug]id, dynamic linking and lazy bindings in sys-fs/fuse
Product:	Gentoo Linux	Reporter:	Gen Zhang <genneth>
Component:	Current packages	Assignee:	Stefan Schweizer (RETIRED) <genstef>
Status:	VERIFIED FIXED
Severity:	minor
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Gen Zhang 2005-01-02 09:04:24 UTC

The wonderful portage gives the following:

QA Notice: /usr/bin/fusermount is setXid, dynamically linked and using lazy bindings.
This combination is generally discouraged. Try: LDFLAGS='-Wl,-z,now' emerge fuse

To be fair, it's pretty self-explanatory for anyone who is running an unstable ebuild and likes to watch the emerge process. On the otherhand, it is a pretty serious security hole, in something that is close to the kernel.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Stefan Schweizer (RETIRED) gentoo-dev

2005-01-03 00:01:36 UTC

Thank you for reporting, fixed in cvs.

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2009-10-06 12:00:37 UTC

+*fuse-2.7.4-r1 (06 Oct 2009)
+
+  06 Oct 2009; Samuli Suominen <ssuominen@gentoo.org> +fuse-2.7.4-r1.ebuild:
+  Drop fuse-fix-lazy-binding.patch wrt #226935, thanks to Rafał Mużyło
+  for reporting.