Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 103776 - net-analyzer/net-snmp: insecure runpath
Summary: net-analyzer/net-snmp: insecure runpath
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 118245 (view as bug list)
Depends on:
Blocks: 81745
  Show dependency tree
Reported: 2005-08-25 17:57 UTC by James Cloos
Modified: 2006-01-07 19:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

log of emerge of net-snmp- (12343-net-snmp-,494.52 KB, text/plain)
2005-08-25 17:59 UTC, James Cloos
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description James Cloos 2005-08-25 17:57:19 UTC
I got this when upgrading net-snmp:

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at
 For more information on this issue, kindly review:

full log to be attached.
Comment 1 James Cloos 2005-08-25 17:59:32 UTC
Created attachment 66893 [details]
log of emerge of net-snmp-
Comment 2 James Cloos 2005-08-25 18:00:43 UTC
incidently, the relevant use flags are:

[ebuild    U ] net-analyzer/net-snmp- [5.2.1-r1] +X -doc +elf* +ipv6
-lm_sensors -minimal +perl +rpm* (-selinux) +smux* +ssl +tcpd
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-08-28 10:01:56 UTC
netmon herd, something needs to be fixed here...
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-02 03:21:56 UTC
something like this should solve it

$ cvs diff
cvs diff: Diffing .
Index: net-snmp-
RCS file: /var/cvsroot/gentoo-x86/net-analyzer/net-snmp/net-snmp-,
retrieving revision 1.10
diff -u -w -r1.10 net-snmp-
--- net-snmp-     7 Aug 2005 09:12:46 -0000       1.10
+++ net-snmp-     2 Sep 2005 10:20:45 -0000
@@ -59,6 +59,9 @@
        # bugs 68467 and 68254
        sed -i -e 's;embed_perl="yes",;embed_perl=$enableval,;' \
                || die "sed failed"
+       # bug 103776
+       sed -i -e 's/\(@(cd perl ; $(MAKE)\)\() ; \\\)/\1 LD_RUN_PATH=\2/g' \
+      || die "sed failed"
        # fix access violation in make check
        sed -i 's/\(snmpd.*\)-Lf/\1-l/' testing/ || \
                die "sed failed"
cvs diff: Diffing files
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-09-02 05:34:20 UTC
sedfu is now present for each ebuild in cvs.  Thanks Tavis.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:49:16 UTC
This allows portage -> user-of-net-snmp privilege escalation.

ka0ttic: We'll need an ebuild revbump so that people with affected net-snmp
things get rebuilt.
Comment 7 Aaron Walker (RETIRED) gentoo-dev 2005-09-03 18:55:51 UTC
(In reply to comment #6)
> This allows portage -> user-of-net-snmp privilege escalation.
> ka0ttic: We'll need an ebuild revbump so that people with affected net-snmp
> things get rebuilt.

err forgot.  a -r1 is in cvs.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-04 07:58:12 UTC
-r1 seems to be stable on all arches, ready for GLSA.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-09-06 07:06:03 UTC
GLSA 200509-05
Comment 10 SpanKY gentoo-dev 2006-01-07 19:41:15 UTC
*** Bug 118245 has been marked as a duplicate of this bug. ***