I am in the process of setting up a new system (on virtualbox, if that is relevant). After upgrading udev to 197, I ran revdep-rebuild and got this message (apparently from media-libs/mesa-9.0.1): * QA Notice: The following files contain writable and executable sections. * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at ... * Please include the following list of files in your report: * Note: Bugl should be filed for the respective maintainers * of the package in question and not hardened@g.o. * --- R-x RWX usr/lib/libglapi.so.0.0.0 * --- R-x RWX usr/lib/opengl/xorg-x11/lib/libGLESv2.so.2.0.0 * --- R-x RWX usr/lib/opengl/xorg-x11/lib/libGLESv1_CM.so.1.1.0 * --- R-x RWX usr/lib/opengl/xorg-x11/lib/libOpenVG.so.1.0.0 * --- R-x RWX usr/lib/opengl/xorg-x11/lib/libGL.so.1.2.0 It looks like this may be something similar to 297440, and it's coupled with a known/fixed bug (428460 - swrast_dri.so contains insecure RUNPATHs), but portage asks me to file bugs rarely enough that it seemed worth point out, just in case.
Created attachment 339260 [details] emerge --info
Created attachment 339310 [details] emerge info Similar here with 9.1_rc2 : QA: other QA Notice: The following files contain insecure RUNPATHs Please file a bug about this at http://bugs.gentoo.org/ with the maintaining herd of the package. /var/tmp/portage/media-libs/mesa-9.1_rc2/image/usr/lib/mesa/swrast_dri.so /var/tmp/portage/media-libs/mesa-9.1_rc2/image/usr/lib/mesa/i915_dri.so QA Notice: The following files contain writable and executable sections Files with such sections will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the issue is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include the following list of files in your report: Note: Bugs should be filed for the respective maintainers of the package in question and not hardened@g.o. --- R-X RWX usr/lib/libglapi.so.0.0.0 --- R-X --- usr/lib/opengl/xorg-x11/lib/libGL.so.1.2.0
got a message regarding mesa >>> Messages generated by process 4890 on 2013-03-06 20:53:10 VET for package media-libs/mesa-9.1: LOG: postinst USE="bindist" was not set. Potentially patent encumbered code was enabled. Please see patents.txt for an explanation. QA: other QA Notice: The following files contain insecure RUNPATHs Please file a bug about this at http://bugs.gentoo.org/ with the maintaining herd of the package. /var/tmp/portage/media-libs/mesa-9.1/image/usr/lib64/mesa/swrast_dri.so quite strange to me as it's about a /var/tmp/ this might be useful ls -al /usr/lib{32,64}/{dri,mesa}/swrast_dri.so* lrwxrwxrwx 1 root root 22 Feb 18 2011 /usr/lib32/dri/swrast_dri.so -> ../mesa/swrastg_dri.so -rwxr-xr-x 1 root root 21912 Feb 24 18:16 /usr/lib32/mesa/swrast_dri.so lrwxrwxrwx 1 root root 21 Jul 10 2011 /usr/lib64/dri/swrast_dri.so -> ../mesa/swrast_dri.so -rwxr-xr-x 1 root root 26976 Mar 6 20:52 /usr/lib64/mesa/swrast_dri.so ls -al /usr/lib/libglapi.so* /usr/lib/opengl/xorg-x11/lib/libGL.so* lrwxrwxrwx 1 root root 17 Mar 6 20:52 /usr/lib/libglapi.so -> libglapi.so.0.0.0 lrwxrwxrwx 1 root root 17 Mar 6 20:52 /usr/lib/libglapi.so.0 -> libglapi.so.0.0.0 -rwxr-xr-x 1 root root 149776 Mar 6 20:52 /usr/lib/libglapi.so.0.0.0 lrwxrwxrwx 1 root root 14 Mar 6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so -> libGL.so.1.2.0 lrwxrwxrwx 1 root root 14 Mar 6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so.1 -> libGL.so.1.2.0 -rwxr-xr-x 1 root root 401208 Mar 6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so.1.2.0
The issue is also present in mesa-9.1.6 (only one file): >>> Messages generated by process 26216 on 2013-11-02 08:10:14 CET for package media-libs/mesa-9.1.6: [..] QA Notice: The following files contain writable and executable sections [..] --- --- RWX usr/lib/libglapi.so.0.0.0
*** Bug 490258 has been marked as a duplicate of this bug. ***
Similar here with media-libs/mesa-9.1.6: * QA Notice: The following files contain writable and executable sections * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at * http://bugs.gentoo.org/ to make sure the issue is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@g.o. * --- --- RWX usr/lib/opengl/xorg-x11/lib/libGLESv2.so.2.0.0 * --- --- RWX usr/lib/libglapi.so.0.0.0 Portage 2.2.7 (default/linux/x86/13.0/developer, gcc-4.7.3, glibc-2.16.0, 3.10.17-gentoo i686) ================================================================= System uname: Linux-3.10.17-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-2.2 KiB Mem: 1028788 total, 146664 free KiB Swap: 1951892 total, 1951892 free Timestamp of tree: Sun, 22 Dec 2013 09:00:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r3, 3.3.2-r2 dev-util/cmake: 2.8.11.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs collision-protect compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gif git gles2 gnutls gtk iconv icu jpeg lcms libkms libnotify mad mbox mercurial minizip mmx mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nss objc ogg opengl openmp opus pam pango pcre pdf perl png policykit ppds pulseaudio python qt3support readline sdl secure-delete session snmp spell sqlite sse ssl startup-notification subversion svg tcb tcmalloc tcpd threads tiff tk toolkit-scroll-bars truetype udev udisks unicode upower usb vorbis wxwidgets x264 x86 xa xcb xft xinerama xml xv xvfb xvid zlib" ABI_X86="32" ALSA_CARDS="ens1371" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON
Created attachment 368192 [details] build.log.gz
Maybe someone from the hardened team knows what this means?
The QA you getting is maybe from bug #240956 that we only fixed for Hardened or that some asm files miss the RWX fix https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
On installing media-libs/mesa-10.2.2 on ~amd64, I only got the warning for the 32-bit library usr/lib32/libglapi.so.0.0.0 . $ emerge -pqv mesa [ebuild R ] media-libs/mesa-10.2.2 USE="bindist classic dri3 egl gallium gbm llvm nptl -debug -gles1 -gles2 -opencl -openmax -openvg -osmesa -pax_kernel -pic -r600-llvm-compiler (-selinux) -vdpau -wayland -xa -xvmc" ABI_X86="32 (64) (-x32)" VIDEO_CARDS="radeon (-freedreno) -i915 -i965 -ilo -intel -nouveau -r100 -r200 -r300 -r600 -radeonsi -vmware"
*** Bug 546582 has been marked as a duplicate of this bug. ***
Fixed by commit c272be70311ae98f597ee75c45245afbff7cd1b1 Author: Matt Turner <mattst88@gentoo.org> Date: Sat Aug 29 14:37:13 2015 -0700 media-libs/mesa: Mark shared objects with QA_WX_LOAD. Bug: https://bugs.gentoo.org/show_bug.cgi?id=458130