680002 – www-client/chromium-72.0.3626.121[component-build] - scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /var/tmp/portage/www-client/chromium-72.0.3626.121/image/usr/lib64/chromium-browser/chrome-sandbox with mode set of 4755

Bug 680002 - www-client/chromium-72.0.3626.121[component-build] - scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /var/tmp/portage/www-client/chromium-72.0.3626.121/image/usr/lib64/chromium-browser/chrome-sandbox with mode set of 4755

Summary: www-client/chromium-72.0.3626.121[component-build] - scanelf: rpath_security_...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Chromium Project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-11 05:40 UTC by stefbon@gmail.com
Modified:	2019-03-17 02:34 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info =www-client/chromium-72.0.3626.121 (chromium.emerge.info,6.50 KB, text/plain) 2019-03-11 05:40 UTC, stefbon@gmail.com	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description stefbon@gmail.com 2019-03-11 05:40:47 UTC

Created attachment 568532 [details]
emerge --info =www-client/chromium-72.0.3626.121

At the last steps of building and installing chromium I get the following error:

------

scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /var/tmp/portage/www-client/chromium-72.0.3626.121/image/usr/lib64/chromium-browser/chrome-sandbox with mode set of 4755
scanelf: rpath_security_checks(): Security problem with DT_RPATH='$ORIGIN/.' in /var/tmp/portage/www-client/chromium-72.0.3626.121/image/usr/lib64/chromium-browser/chrome-sandbox with mode set of 4755

 * QA Notice: The following files contain insecure RUNPATHs
 *  Please file a bug about this at https://bugs.gentoo.org/
 *  with the maintainer of the package.
 * $ORIGIN/. /var/tmp/portage/www-client/chromium-72.0.3626.121/image/usr/lib64/chromium-browser/chrome-sandbox

 * ERROR: www-client/chromium-72.0.3626.121::gentoo failed:
 *   Aborting due to serious QA concerns with RUNPATH/RPATH
 * 
 * Call stack:
 *     misc-functions.sh, line 503:  Called install_qa_check
 *     misc-functions.sh, line 122:  Called source 'install_symlink_html_docs'
 *   10executable-issues, line 145:  Called elf_check
 *   10executable-issues, line 139:  Called die
 * The specific snippet of code:
 *              die "Aborting due to serious QA concerns with RUNPATH/RPATH"

------

Build flags:

------

[ebuild  N    ] www-client/chromium-72.0.3626.121  USE="closure-compile component-build cups hangouts (pic) proprietary-codecs pulseaudio suid -custom-cflags -gnome-keyring -jumbo-build -kerberos (-neon) (-selinux) (-system-ffmpeg) (-system-icu) (-system-libvpx) (-tcmalloc) -widevine" L10N="am ar bg bn ca cs da de el en-GB es es-419 et fa fi fil fr gu he hi hr hu id it ja kn ko lt lv ml mr ms nb nl pl pt-BR pt-PT ro ru sk sl sr sv sw ta te th tr uk vi zh-CN zh-TW" 


------

Attached is the build emerge info.
It was in the very last stage of installing.
It has something to do with RUNPATH, is it I can configure?

Stef Bon

Comment 1 stefbon@gmail.com 2019-03-12 06:41:55 UTC

Found the same issue here:

https://forums.gentoo.org/viewtopic-t-1088294-start-0.html

It's marked as solved, but it's solved by itself. No extra information.

Comment 2 Mike Gilbert gentoo-dev

2019-03-12 17:28:46 UTC

Please disable USE="component-build".

Comment 3 stefbon@gmail.com 2019-03-13 06:38:24 UTC

Yes that worked. Shouldn't there be a warning for using this flag (thus "component-build"). It looks like a very usefull flag since the execuatble chrome becomes very very large (211619504 bytes is more than 200 Mb!).

By the way, thanks for the help.

Stef

Comment 4 Larry the Git Cow gentoo-dev

2019-03-17 02:34:38 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=688e4bba5756db137e4953004d0d7dcd25bdff24

commit 688e4bba5756db137e4953004d0d7dcd25bdff24
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2019-03-17 02:31:32 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2019-03-17 02:34:28 +0000

    www-client/chromium: bump to 73.0.3683.75
    
    Requires GCC 8 or better.
    Requires harfbuzz 2.2 or better.
    Keeps third_party/swiftshader/third_party/llvm-7.0 for ARM64 build.
    Prevents component-build with suid enabled.
    
    Closes: https://bugs.gentoo.org/678216
    Closes: https://bugs.gentoo.org/678428
    Bug: https://bugs.gentoo.org/679326
    Closes: https://bugs.gentoo.org/680002
    Package-Manager: Portage-2.3.62, Repoman-2.3.12_p83
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/chromium/Manifest                     |   1 +
 www-client/chromium/chromium-73.0.3683.75.ebuild | 712 +++++++++++++++++++++++
 2 files changed, 713 insertions(+)