Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249845 - dev-ada/xmlada has ${WORKDIR} in RPATH
Summary: dev-ada/xmlada has ${WORKDIR} in RPATH
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Runpath Issues (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-04 20:21 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2016-02-21 03:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
new version of xmlada ebuild. (xmlada-3.2.0.ebuild,2.76 KB, text/plain)
2010-04-28 14:10 UTC, Alexander
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-04 20:21:57 UTC
* QA Notice: The following files contain insecure RUNPATH's
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 * /var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/sax/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/input_sources/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/unicode/lib:/usr/lib/gnat-gpl/i686-pc-linux-gnu/4.1-2008/adalib/:/usr/lib usr/lib/ada/i686-pc-linux-gnu-gnat-gpl-4.1-2008/xmlada/libxmlada_dom.so.2.2.0
 * /var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/unicode/lib:/usr/lib/gnat-gpl/i686-pc-linux-gnu/4.1-2008/adalib/:/usr/lib usr/lib/ada/i686-pc-linux-gnu-gnat-gpl-4.1-2008/xmlada/libxmlada_input_sources.so.2.2.0
 * /var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/input_sources/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/unicode/lib:/usr/lib/gnat-gpl/i686-pc-linux-gnu/4.1-2008/adalib/:/usr/lib usr/lib/ada/i686-pc-linux-gnu-gnat-gpl-4.1-2008/xmlada/libxmlada_sax.so.2.2.0
 * /var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/dom/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/sax/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/input_sources/lib:/var/tmp/portage/dev-ada/xmlada-2.2.0-r1/work/LocalSource/unicode/lib:/usr/lib/gnat-gpl/i686-pc-linux-gnu/4.1-2008/adalib/:/usr/lib usr/lib/ada/i686-pc-linux-gnu-gnat-gpl-4.1-2008/xmlada/libxmlada_schema.so.2.2.0

Portage 2.1.6_rc1 (default/linux/x86/2008.0, gcc-4.1.2-asneeded, glibc-2.8_p20080602-r0, 2.6.27-gentoo-r4 i686)
=================================================================
System uname: Linux-2.6.27-gentoo-r4-i686-Quad-Core_AMD_Opteron-tm-_Processor_2350-with-glibc2.0
Timestamp of tree: Wed, 03 Dec 2008 15:36:01 +0000
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p48
dev-java/java-config: 1.3.7, 2.1.6-r1
dev-lang/python:     2.5.2-r8
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.6.2
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.3.0-r1
sys-apps/sandbox:    1.2.18.1-r3
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.19
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/glftpd/etc /opt/glftpd/ftp-data /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/lib/hsqldb /var/phxd /var/qmail/alias /var/qmail/control /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage-distfiles"
FEATURES="distlocks parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo"
INSTALL_MASK=" 	/usr/share/doc 	/usr/share/man 	/usr/share/info"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j14"
PKGDIR="/usr/portage-packages"
PORTAGE_COMPRESS=""
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl ssl sysfs tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-01 11:38:58 UTC
Ada herd, please provide an updated ebuild.
Comment 2 George Shapovalov (RETIRED) gentoo-dev 2009-04-02 13:55:06 UTC
Ah, these are .so files (on a first read I thought I missed some conf file)..
However I cannot find how ${D} ever gets there - neither LD_RUN_PATH nor -R ever appear in source or are set during compilation.. I guess I'll have to keep looking, just don't promice much at this point unfortunately. Any pointers, probably even to general discussions of how this can be happening, would be helpful!
Comment 3 Alexander 2010-04-28 14:10:13 UTC
Created attachment 229513 [details]
new version of xmlada ebuild.

Hello. I fixed this issue
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 21:20:14 UTC
@maintainers: ping, got anything?
Comment 5 Pacho Ramos gentoo-dev 2016-02-20 18:10:56 UTC
removed
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-02-21 03:55:35 UTC
Package removed per previous comments.  GLSA needed?