Created attachment 339260 [details]
emerge --info

Comment 2 Toralf Förster 2013-02-18 22:24:29 UTC

Created attachment 339310 [details]
emerge info

Similar here with 9.1_rc2 :

QA: other
QA Notice: The following files contain insecure RUNPATHs
 Please file a bug about this at http://bugs.gentoo.org/
 with the maintaining herd of the package.
  /var/tmp/portage/media-libs/mesa-9.1_rc2/image/usr/lib/mesa/swrast_dri.so
  /var/tmp/portage/media-libs/mesa-9.1_rc2/image/usr/lib/mesa/i915_dri.so

QA Notice: The following files contain writable and executable sections
 Files with such sections will not work properly (or at all!) on some
 architectures/operating systems.  A bug should be filed at
 http://bugs.gentoo.org/ to make sure the issue is fixed.
 For more information, see http://hardened.gentoo.org/gnu-stack.xml
 Please include the following list of files in your report:
 Note: Bugs should be filed for the respective maintainers
 of the package in question and not hardened@g.o.
--- R-X RWX usr/lib/libglapi.so.0.0.0
--- R-X --- usr/lib/opengl/xorg-x11/lib/libGL.so.1.2.0

got a message regarding mesa

>>> Messages generated by process 4890 on 2013-03-06 20:53:10 VET for package media-libs/mesa-9.1:

LOG: postinst
USE="bindist" was not set. Potentially patent encumbered code was
enabled. Please see patents.txt for an explanation.
QA: other
QA Notice: The following files contain insecure RUNPATHs
 Please file a bug about this at http://bugs.gentoo.org/
 with the maintaining herd of the package.
  /var/tmp/portage/media-libs/mesa-9.1/image/usr/lib64/mesa/swrast_dri.so



quite strange to me as it's about a /var/tmp/

this might be useful

ls -al /usr/lib{32,64}/{dri,mesa}/swrast_dri.so*
lrwxrwxrwx 1 root root    22 Feb 18  2011 /usr/lib32/dri/swrast_dri.so -> ../mesa/swrastg_dri.so
-rwxr-xr-x 1 root root 21912 Feb 24 18:16 /usr/lib32/mesa/swrast_dri.so
lrwxrwxrwx 1 root root    21 Jul 10  2011 /usr/lib64/dri/swrast_dri.so -> ../mesa/swrast_dri.so
-rwxr-xr-x 1 root root 26976 Mar  6 20:52 /usr/lib64/mesa/swrast_dri.so

ls -al /usr/lib/libglapi.so* /usr/lib/opengl/xorg-x11/lib/libGL.so*
lrwxrwxrwx 1 root root     17 Mar  6 20:52 /usr/lib/libglapi.so -> libglapi.so.0.0.0
lrwxrwxrwx 1 root root     17 Mar  6 20:52 /usr/lib/libglapi.so.0 -> libglapi.so.0.0.0
-rwxr-xr-x 1 root root 149776 Mar  6 20:52 /usr/lib/libglapi.so.0.0.0
lrwxrwxrwx 1 root root     14 Mar  6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so -> libGL.so.1.2.0
lrwxrwxrwx 1 root root     14 Mar  6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so.1 -> libGL.so.1.2.0
-rwxr-xr-x 1 root root 401208 Mar  6 20:52 /usr/lib/opengl/xorg-x11/lib/libGL.so.1.2.0

The issue is also present in mesa-9.1.6 (only one file):

>>> Messages generated by process 26216 on 2013-11-02 08:10:14 CET for package media-libs/mesa-9.1.6:
[..]
QA Notice: The following files contain writable and executable sections
[..]
--- --- RWX usr/lib/libglapi.so.0.0.0

Comment 5 Matt Turner 2013-11-07 18:43:27 UTC

*** Bug 490258 has been marked as a duplicate of this bug. ***

Comment 6 Paweł Hajdan, Jr. (RETIRED) 2014-01-19 20:32:02 UTC

Similar here with media-libs/mesa-9.1.6:

 * QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  http://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see http://hardened.gentoo.org/gnu-stack.xml
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@g.o.
 * --- --- RWX usr/lib/opengl/xorg-x11/lib/libGLESv2.so.2.0.0
 * --- --- RWX usr/lib/libglapi.so.0.0.0

Portage 2.2.7 (default/linux/x86/13.0/developer, gcc-4.7.3, glibc-2.16.0, 3.10.17-gentoo i686)
=================================================================
System uname: Linux-3.10.17-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-2.2
KiB Mem:     1028788 total,    146664 free
KiB Swap:    1951892 total,   1951892 free
Timestamp of tree: Sun, 22 Dec 2013 09:00:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p45
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.5-r3, 3.3.2-r2
dev-util/cmake:           2.8.11.2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.13.4
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs collision-protect compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gif git gles2 gnutls gtk iconv icu jpeg lcms libkms libnotify mad mbox mercurial minizip mmx mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nss objc ogg opengl openmp opus pam pango pcre pdf perl png policykit ppds pulseaudio python qt3support readline sdl secure-delete session snmp spell sqlite sse ssl startup-notification subversion svg tcb tcmalloc tcpd threads tiff tk toolkit-scroll-bars truetype udev udisks unicode upower usb vorbis wxwidgets x264 x86 xa xcb xft xinerama xml xv xvfb xvid zlib" ABI_X86="32" ALSA_CARDS="ens1371" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON

Comment 7 Paweł Hajdan, Jr. (RETIRED) 2014-01-19 20:32:35 UTC

Created attachment 368192 [details]
build.log.gz

Comment 8 Matt Turner 2014-03-08 02:31:59 UTC

Maybe someone from the hardened team knows what this means?

Comment 9 Magnus Granberg 2014-03-08 14:26:56 UTC

The QA you getting is maybe from bug #240956 that we only fixed for
Hardened or that some asm files miss the RWX fix https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

On installing media-libs/mesa-10.2.2 on ~amd64, I only got the warning for the 32-bit library usr/lib32/libglapi.so.0.0.0 .

$ emerge -pqv mesa
[ebuild   R   ] media-libs/mesa-10.2.2  USE="bindist classic dri3 egl gallium gbm llvm nptl -debug -gles1 -gles2 -opencl -openmax -openvg -osmesa -pax_kernel -pic -r600-llvm-compiler (-selinux) -vdpau -wayland -xa -xvmc" ABI_X86="32 (64) (-x32)" VIDEO_CARDS="radeon (-freedreno) -i915 -i965 -ilo -intel -nouveau -r100 -r200 -r300 -r600 -radeonsi -vmware"

Comment 11 Matt Turner 2015-08-29 21:27:57 UTC

*** Bug 546582 has been marked as a duplicate of this bug. ***

Comment 12 Matt Turner 2015-08-29 21:35:24 UTC

Fixed by

commit c272be70311ae98f597ee75c45245afbff7cd1b1
Author: Matt Turner <mattst88@gentoo.org>
Date:   Sat Aug 29 14:37:13 2015 -0700

    media-libs/mesa: Mark shared objects with QA_WX_LOAD.
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=458130