Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 328467 - sys-apps/keyutils has insecure runpaths
Summary: sys-apps/keyutils has insecure runpaths
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
: 417915 (view as bug list)
Depends on:
Blocks: CVE-2010-1322
  Show dependency tree
 
Reported: 2010-07-15 20:14 UTC by William Throwe
Modified: 2012-05-29 01:16 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (build.log,6.21 KB, text/plain)
2010-07-15 20:15 UTC, William Throwe
Details
Patch to fix NULL RPATH in keyutils-1.4 (keyutils-1.4-fix-null-rpath.patch,636 bytes, patch)
2012-05-19 14:05 UTC, Mitch Harder
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description William Throwe 2010-07-15 20:14:57 UTC
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.4/image/sbin/request-key
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.4/image/sbin/request-key
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.4/image/bin/keyctl
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.4/image/bin/keyctl

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 *  sbin/request-key
 *  bin/keyctl


Reproducible: Always




$ emerge --info =sys-apps/keyutils-1.4 
Portage 2.2_rc67 (default/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-gentoo-r1 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.34-gentoo-r1-x86_64-Intel-R-_Core-TM-2_CPU_T5500_@_1.66GHz-with-gentoo-2.0.1
Timestamp of tree: Thu, 15 Jul 2010 00:45:02 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--ask"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.netnitco.net http://mirror.mcs.anl.gov/pub/gentoo/ http://mirror.csclub.uwaterloo.ca/gentoo-distfiles/ http://mirror.datapipe.net/gentoo ftp://mirror.datapipe.net/gentoo"
LDFLAGS="-Wl,-O1,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="X acl acpi afs alsa amd64 berkdb bzip2 cairo caps cdr cli cracklib crypt cxx dbus dri dvd dvdr emacs fortran gd gdbm gimp gpm gtk hal iconv jpeg kerberos latex mmx modules mudflap multilib ncurses nptl nptlonly opengl openmp pam pcre perl png pppd python readline reflection session smp spl sse sse2 ssl ssse3 sysfs system-sqlite tcpd truetype unicode xorg xscreensaver zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" SANE_BACKENDS="epson2" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

sys-apps/keyutils-1.4 was built with the following:
USE="(multilib)"
Comment 1 William Throwe 2010-07-15 20:15:39 UTC
Created attachment 238929 [details]
build.log
Comment 2 Maxim Koltsov (RETIRED) gentoo-dev 2010-07-17 19:40:56 UTC
I confirm this on x86 stable (keyutils-1.2-r2). My emerge info:

Portage 2.1.8.3 (default/linux/x86/10.0/desktop, gcc-4.4.3, glibc-2.11.2-r0, 2.6.33-tuxonice-r2 i686)
=================================================================
System uname: Linux-2.6.33-tuxonice-r2-i686-Intel-R-_Atom-TM-_CPU_N270_@_1.60GHz-with-gentoo-2.0.1
Timestamp of tree: Wed, 07 Jul 2010 09:15:01 +0000
distcc 3.0 i686-pc-linux-gnu [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p37
dev-java/java-config: 2.1.11
dev-lang/python:     2.5.4-r4, 2.6.5-r2, 3.1.2-r3
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.3-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -mtune=generic -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=core2 -mtune=generic -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distcc distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://mirror.yandex.ru/gentoo-distfiles"
LANG="ru_RU.utf8"
LDFLAGS="-Wl,-O1"
LINGUAS="ru"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/rion /usr/local/portage/layman/pro-audio /usr/local/portage/layman/lxde /usr/local/portage/layman/desktop-effects /usr/local/portage/layman/sunrise /usr/local/portage/layman/jasiu /usr/local/portage/layman/qting-edge /usr/local/portage/layman/wirelay /usr/local/portage/layman/gnome /usr/local/portage/layman/rafaelmartins /usr/local/portage/layman/x11 /usr/local/portage/layman/gnome-live /usr/local/portage/layman/gentoo-china /usr/local/portage/layman/dev-zero /usr/local/portage/layman/java-overlay /usr/local/portage/layman/science /usr/local/portage/layman/mozilla /home/maks/maksbotan-overlay"
SYNC="rsync://mirror.yandex.ru/gentoo-portage"
USE="X a52 aac acl acpi alsa apm avahi bash-completion berkdb bluetooth bonjour branding bzip2 cairo cli consolekit cracklib crypt cups cxx dbus doomsday dri dts dvd dvdr emboss encode exif fam fbcon ffmpeg firefox flac fortran gcj gdbm gif gpm gstreamer gtk hal iconv ipod ipv6 jpeg laptop lcms ldap libnotify lm_sensors mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nsplugin offensive ogg opengl openmp pam pango pcre pdf perl pmu png ppds pppd python qt3support readline reflection samba scanner sdl session spell spl ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vim-syntax vorbis wifi x264 x86 xcb xcomposite xml xorg xulrunner xv xvid zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" QEMU_SOFTMMU_TARGETS="i386 x86_64 ppc ppc64" QEMU_USER_TARGETS="i386 x86_64 ppc ppc64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 3 Guy 2010-10-15 20:45:44 UTC
Also applies to keyutils-1.4-r1.


>>> Completed installing keyutils-1.4-r1 into /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/

strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment
   bin/keyctl
   lib64/libkeyutils.so.1.3
   sbin/request-key
   usr/lib64/libkeyutils.a
ecompressdir: bzip2 -9 /usr/share/man
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/bin/keyctl
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/bin/keyctl
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/sbin/request-key
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/sbin/request-key

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 *  bin/keyctl
 *  sbin/request-key

Auto fixing rpaths for  bin/keyctl
 sbin/request-key

>>> Installing (68 of 560) sys-apps/keyutils-1.4-r1
Comment 4 Pablo Cholaky 2010-10-26 18:29:34 UTC
I can confirm that too

(In reply to comment #3)
> Also applies to keyutils-1.4-r1.
> 
> 
> >>> Completed installing keyutils-1.4-r1 into /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/
> 
> strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment
>    bin/keyctl
>    lib64/libkeyutils.so.1.3
>    sbin/request-key
>    usr/lib64/libkeyutils.a
> ecompressdir: bzip2 -9 /usr/share/man
> scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in
> /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/bin/keyctl
> scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in
> /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/bin/keyctl
> scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in
> /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/sbin/request-key
> scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in
> /var/tmp/portage/sys-apps/keyutils-1.4-r1/image/sbin/request-key
> 
>  * QA Notice: The following files contain insecure RUNPATHs
>  *  Please file a bug about this at http://bugs.gentoo.org/
>  *  with the maintaining herd of the package.
>  *  bin/keyctl
>  *  sbin/request-key
> 
> Auto fixing rpaths for  bin/keyctl
>  sbin/request-key
> 
> >>> Installing (68 of 560) sys-apps/keyutils-1.4-r1
> 
Comment 5 Dustin Polke 2010-11-27 17:33:22 UTC
While on my amd64 box this issue is just a warning and the autofixing part seems to workaround this,
on sparc this issue is fatal:


strip: sparc-unknown-linux-gnu-strip --strip-unneeded -R .comment
   bin/keyctl
   sbin/request-key
   lib32/libkeyutils-1.2.so
   usr/lib32/libkeyutils.a
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.2-r1/image/bin/keyctl
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.2-r1/image/bin/keyctl
scanelf: rpath_security_checks(): Security problem NULL DT_RPATH in /var/tmp/portage/sys-apps/keyutils-1.2-r1/image/sbin/request-key
scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-apps/keyutils-1.2-r1/image/sbin/request-key

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at http://bugs.gentoo.org/
 *  with the maintaining herd of the package.
 *  bin/keyctl
 *  sbin/request-key

Auto fixing rpaths for  bin/keyctl
 sbin/request-key

 * QA Notice: Missing gen_usr_ldscript for libkeyutils.so
 * ERROR: sys-apps/keyutils-1.2-r1 failed:
 *   add those ldscripts

Moreover, this package is a dependency for  app-crypt/mit-krb5-.8.3-r1 which was stabilized due to security.  This makes this issue critical for users that are blocked from updating to a secure version. 
Comment 6 Dustin Polke 2010-11-27 18:15:25 UTC
For completeness:

Portage 2.1.9.24 (default/linux/sparc/experimental/multilib/server, gcc-4.4.4, glibc-2.11.2-r3, 2.6.34-gentoo-r12 sparc64)
=================================================================
System uname: Linux-2.6.34-gentoo-r12-sparc64-sun4u-with-gentoo-2.0.1
Timestamp of tree: Sat, 27 Nov 2010 15:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13::<unknown repository>, 2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="sparc"
ACCEPT_LICENSE="* -@EULA"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc -pipe -ggdb"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -mcpu=ultrasparc -pipe -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs ccache collision-protect distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms splitdebug strict test unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://mirror.netcologne.de/gentoo/     ftp://gentoo.tiscali.nl/pub/mirror/gentoo/     ftp://mirror.cambrium.nl/pub/os/linux/gentoo/     ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo     ftp://ftp6.uni-muenster.de/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS=""
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=500"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sping /var/lib/layman/DuPol /usr/local/portage/modified"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="X acl admin bash-completion branding bzip2 cli coverpage cracklib crypt cups cxx dbus dri fortran gd git gpm hal iconv iproute2 javascript jpeg kerberos keyscrub logrotate loop-aes mime modules mudflap multilib nls nptl nptlonly openmp pam pcre png posix pppd readline sasl session sparc ssl sysfs syslog system-sqlite tcpd threads tiff truetype unicode userlocales xml xorg zlib" ALSA_CARDS="cs4231" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="auth_basic auth_core authn_file authz_core authz_host     authz_user dav dir log_config mime unixd" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="mach64" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS
Comment 7 Jim Faulkner 2010-11-29 19:27:31 UTC
Note that this bug applies to sys-apps/keyutils-1.2-r1 as well, for non-x86 architectures at least.  I get the same error as Dustin on my alpha machine.
Comment 8 David J Cozatt 2010-12-04 20:23:36 UTC
confirmed for keyutils-1.4-r1 on amd64

QA Notice: The following files contain insecure RUNPATHs                               │
│ Please file a bug about this at http://bugs.gentoo.org/                               │
│ with the maintaining herd of the package.                                             │
│ bin/keyctl                                                                            │
│ sbin/request-key    
Comment 9 Dustin Polke 2010-12-05 13:26:56 UTC
Okay, let's clearify this a bit. I should had looked more closely before...

(In reply to comment #5)
> While on my amd64 box this issue is just a warning and the autofixing part
> seems to workaround this, on sparc this issue is fatal:

(In reply to comment #7)
> Note that this bug applies to sys-apps/keyutils-1.2-r1 as well, for non-x86
> architectures at least.  I get the same error as Dustin on my alpha machine.

amd64 did install because it has keyutils-1.2-r2 stable while on sparc only -r1 is stable which does not have the gen_usr_ldscript yet. Unmasking keyutils-1.2-r2 on sparc and arm throws the warning but does install.

Therefore, I suggest to mark 1.2-r2 stable on all ARCHs that have 1.2-r1 stable already and then dump 1.2-r1 as it never will install.

Ebuilds for 1.4 work around the buggy Makefile by using gen_usr_ldscript, so they should not error out.
I don't know how this issue is fixed properly, but I want to share what I found out from looking at the Makefile:

Problematic lines seem to be the following:
"""
keyctl: keyctl.c keyutils.h Makefile $(DEVELLIB)
        $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -L. -lkeyutils -Wl,-rpath,$(LIB)

request-key: request-key.c keyutils.h Makefile $(DEVELLIB)
        $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -L. -lkeyutils -Wl,-rpath,$(LIB)
"""
which reference $(LIB). $(LIB), however, is not defined and thus empty.
Comment 10 SpanKY gentoo-dev 2011-09-02 17:41:23 UTC
keyutils-1.5.3 should have the issue fixed
Comment 11 Mitch Harder 2012-05-19 14:05:19 UTC
Created attachment 312269 [details, diff]
Patch to fix NULL RPATH in keyutils-1.4

I see this bug is still open.

I've used this attached patch to address the problem in 1.4.

I based it on looking at the modifications to the Makefile in keyutils-1.5.2.
Comment 12 Pacho Ramos gentoo-dev 2012-05-19 15:05:44 UTC
Is there anything preventing 1.5.5 from being stabilized?
Comment 13 SpanKY gentoo-dev 2012-05-29 01:16:08 UTC
*** Bug 417915 has been marked as a duplicate of this bug. ***