255514 – dev-util/android-sdk bundles internal copies of many libraries

Bug 255514 - dev-util/android-sdk bundles internal copies of many libraries

Summary: dev-util/android-sdk bundles internal copies of many libraries

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Richard Freeman

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	bundled-libs CVE-2009-3720
	Show dependency tree

Reported:	2009-01-19 15:56 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2009-10-30 01:09 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2009-01-19 15:56:46 UTC

It includes zlib, libpng and expat at least:

adler32  /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/adb
adler32  /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/emulator
XML_Parse  /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/aapt
png_get_libpng_ver  /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/aapt
png_get_libpng_ver  /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/emulator

I'd suspsect more too, considering I see sqlite3 command in the tools/ directory being stripped, and libswt pre-stripped.

Comment 1 Krzysztof Pawlik (RETIRED) gentoo-dev

2009-01-19 18:45:01 UTC

Yes, some of the binaries are linked against few static libraries, I'll see what can be done about SWT.

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2009-01-19 18:56:53 UTC

For the static libraries, maybe you can see to complain upstream, they could reasonably be expected to fix it in a future version. If it's Google directly, maybe pushing through oCERT could also help.

Comment 3 Krzysztof Pawlik (RETIRED) gentoo-dev

2009-01-19 19:01:08 UTC

I'll try to talk to Android people tomorrow.

Comment 4 Richard Freeman gentoo-dev

2009-01-19 19:26:50 UTC

The security/maintainability issues with this are obvious.  However, could there be issues with deviating from the included library versions?  Obstensibly the reason for having included libraries is so that you can build your application against the library versions that you're likely to find on the target platform.  If everybody is running libfoo-1.0 on their phones, and gentoo has libfoo-1.4 stable, would it be wise to use the gentoo version?

Comment 5 Krzysztof Pawlik (RETIRED) gentoo-dev

2009-01-19 19:31:15 UTC

(In reply to comment #4)

In my opinion no -- but I need to confirm this.

Comment 6 Richard Freeman gentoo-dev

2009-10-23 23:18:03 UTC

I suspect this is safe to close for the reasons stated - the SDK doesn't present any security issues to the host system, and the generated code doesn't present any security issues to a phone it is installed on.  The libraries on the phone might have issues, but those are maintained by the phone OS, but by this package.

Unless there are objections I'll close this as WONTFIX in a few days...

Comment 7 Richard Freeman gentoo-dev

2009-10-30 01:09:55 UTC

Per comments closing this bug - the SDK is intended to build against devices running standardized versions of libraries.  It should not target the libraries installed by gentoo as a result.  Comment/reopen if I'm missing something here...