Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 179764 - The use of ruby-odbc on Gentoo Hardened leads to "INTERN (0) [RubyODBC]Cannot allocate SQLHENV (ODBC::Error)"
Summary: The use of ruby-odbc on Gentoo Hardened leads to "INTERN (0) [RubyODBC]Cannot...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-25 15:43 UTC by Christoph Mueller
Modified: 2010-07-10 08:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Customized ebuild of ruby-odbc (ruby-odbc-0.9995.ebuild,901 bytes, text/plain)
2007-05-25 15:48 UTC, Christoph Mueller
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Mueller 2007-05-25 15:43:53 UTC
ruby-odbc (0.9995, and also 0.9994) builds fine on Gentoo Hardened. But if it is used in a ruby script, it prints out the error message "INTERN (0) [RubyODBC]Cannot allocate SQLHENV (ODBC::Error)" on connect.

I used this simple script:
require 'odbc'
connection = ODBC.connect('odbc-source', 'user', 'password')
connection.disconnect

Together with the Christian Werner, the author of ruby-odbc, we tryed a lot of things, like rebuilding the ldcache, but all seemed to be ok. But than we found out that compiling it with "--disable-dlopen" solves it.

Also together with Pappy of the Gentoo Hardened team we found out that switching the compiler from hardened to vanilla gcc and than compiling ruby-odbc, also works.

Pappy could reproduce this in his chroot.

Some version info:
dev-ruby/ruby-1.8.5_p2 USE="-cjk -debug -doc -examples -ipv6 -socks5 -threads -tk"
dev-ruby/ruby-odbc-0.9995  USE="unicode"
dev-db/unixODBC-2.2.11-r1  USE="-qt3"
dev-db/freetds-0.62.3  USE="mssql odbc"


emerge --info:
Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.20-hardened-r2 i686)
=================================================================
System uname: 2.6.20-hardened-r2 i686 Pentium III (Coppermine)
Gentoo Base System release 1.12.9
Timestamp of tree: Tue, 08 May 2007 01:47:01 +0000
dev-lang/python:     2.4.4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe -fforce-addr -msse -mfpmath=sse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -pipe -fforce-addr -msse -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="animgif apache2 berkdb crypt gd gif hal hardened imagemagick jpeg jpeg2k lm_sensors midi mysql mysqli nls odbc pam pic png readline sse sse2 ssl svg syslog tcpd truetype unicode unzip urandom vhosts x86 xml xorg zip zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


Reproducible: Always

Steps to Reproduce:
Comment 1 Christoph Mueller 2007-05-25 15:48:50 UTC
Created attachment 120296 [details]
Customized ebuild of ruby-odbc

This is a customized ebuild of ruby-odbc that introduces a new use flag "nodlopen" so you can control whether dlopen is used. Default is to use it.
Comment 2 Alexander Gabert (RETIRED) gentoo-dev 2007-06-01 20:07:17 UTC
thx
Comment 3 Hans de Graaff gentoo-dev Security 2010-07-08 19:30:45 UTC
Is this still an issue with ruby-odbc-0.99991 ?
Comment 4 Christoph Mueller 2010-07-08 23:58:05 UTC
(In reply to comment #3)
> Is this still an issue with ruby-odbc-0.99991 ?

Hi Hans,

Yes,the same error occures with 0.99991. The only way to get it to work is with my custom ebuild...

Greetings,,,
Comment 5 Hans de Graaff gentoo-dev Security 2010-07-09 06:34:10 UTC
I think having a USE flag for that is not a good solution, because it is not intuitive. If the build fails people won't really know to use nodlopen unless they happen to find this bug.

Ideally we should have some kind of solution that either selects this option when using a hardened compiler automatically, or simply not use dlopen at all, but I'm not sure what the implication is for normal builds.

@hardened: any advice on how to handle this?
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-07-09 09:28:39 UTC
Force-disable dlopen. This way it's linked at build-time which generally speaking is a better choice, for a distribution like ours, because it disallows users from trying to load libraries with different ABI.
Comment 7 Hans de Graaff gentoo-dev Security 2010-07-10 07:33:23 UTC
(In reply to comment #6)
> Force-disable dlopen. This way it's linked at build-time which generally
> speaking is a better choice, for a distribution like ours, because it disallows
> users from trying to load libraries with different ABI.

Fixed in ruby-odbc-0.99991-r1.
Comment 8 Christoph Mueller 2010-07-10 08:07:54 UTC
Thank you! Great!