FS#14016 - [swi-prolog] insecure RPATH

Attached to Project: Arch Linux
Opened by Gerardo Exequiel Pozzi (djgera) - Sunday, 29 March 2009, 21:15 GMT
Last edited by Andrea Scarpino (BaSh) - Thursday, 18 June 2009, 22:36 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jürgen Hötzel (juergen)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The file /usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so has an insecure RPATH (empty)

$ readelf -d /usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so | grep RPATH
0x0000000f (RPATH) Library rpath: [/usr/lib:]

Additional info:
swi-prolog-5.6.64-1

 FS#13890  - Packaging creation and rpath issues
 FS#13891  - [acl] A trivial fix RPATH issue
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Thursday, 18 June 2009, 22:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  swi-prolog-5.6.64-2
Comment by Gerardo Exequiel Pozzi (djgera) - Sunday, 12 April 2009, 21:31 GMT
Trivial patch is attached, also correct $startdir -> $srcdir, $pkgdir

Also namcap detect some missing deps (are as makedepends, but should be as depends)
swi-prolog E: Dependency detected and not included (libjpeg) from files ['usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so']
swi-prolog E: Dependency detected and not included (unixodbc) from files ['usr/lib/pl-5.6.64/lib/i686-linux/odbc4pl.so']
swi-prolog E: Dependency detected and not included (openssl) from files ['usr/lib/pl-5.6.64/lib/i686-linux/ssl4pl.so']
swi-prolog E: Dependency detected and not included (libxpm) from files ['usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so']
swi-prolog E: Dependency detected and not included (libxinerama) from files ['usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so']
swi-prolog E: Dependency detected and not included (libxft) from files ['usr/lib/pl-5.6.64/xpce-6.6.64/lib/i686-linux/pl2xpce.so']
   PKGBUILD.swi-prolog.rpath.fix... (0.5 KiB)
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 03 June 2009, 19:54 GMT
And this trivil patch, fixes compilation in with new glibc-2.10

swi-prolog/src/pl-5.6.64/src/mkvmi.c:102: error: static declaration of 'strndup' follows non-static declaration

just comment an already defined function strndup() in string.h
   swi-prolog.compile.fix.patch (0.3 KiB)
Comment by Jürgen Hötzel (juergen) - Wednesday, 03 June 2009, 20:16 GMT
Thanks for your contribution!

Whats insecure about an empty rpath?
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 03 June 2009, 20:31 GMT
You are welcome ;)

Not really big problem. An empty rpath allow libraries to load from current directory. For example:

$ gcc hola.c -Wl,-rpath, -o hola -lm
$ LD_DEBUG=libs LD_TRACE_OBJECTS=yes ./hola
4051: find library=libm.so.6 [0]; searching
4051: search path=tls/i686/sse2:tls/i686:tls/sse2:tls:i686/sse2:i686:sse2: (RPATH from file ./hola)
4051: trying file=tls/i686/sse2/libm.so.6
4051: trying file=tls/i686/libm.so.6
4051: trying file=tls/sse2/libm.so.6
4051: trying file=tls/libm.so.6
4051: trying file=i686/sse2/libm.so.6
4051: trying file=i686/libm.so.6
4051: trying file=sse2/libm.so.6
4051: trying file=libm.so.6
4051: search cache=/etc/ld.so.cache
4051: trying file=/lib/libm.so.6
Comment by Jürgen Hötzel (juergen) - Wednesday, 03 June 2009, 21:00 GMT
Good catch!

Loading...