Bug#495756: ecl has rpath to insecure location (/tmp/buildd/ecl-0.9j-20080306/build/)

Luca Capello luca at pca.it
Mon Aug 25 21:54:26 UTC 2008


Hi Bill!

For the ECL list: this is a 'serious' bug in the Debian BTS [1].  For
the reason why rpath is considered harmful by Debian see [2] and [3].

Please don't Cc: me, I read the list.  However, please keep the Debian
bug cc:ed (no need to subscribe), I set the M-F-T and R-T to both the
bug and the mailing list to facilitate the above :-)

On Wed, 20 Aug 2008 10:55:51 +0200, Bill Allombert wrote:
> Hello Debian Common Lisp Team,
> ecl includes a ELF file /usr/lib/ecl/asdf.fas with a rpath pointing to
> /tmp/buildd/ecl-0.9j-20080306/build/.

If I'm not wrong, this is a design decision, which seems to be
officially documented at [4].  However, it's strange that the rpath is
pointing to /tmp/... and not /usr/lib/ecl/.

> This allows an attacker with write access to that directory to
> add modified libraries which will be loaded when someone
> else run ecl.

I've added the ECL list to cc:.  While I can easily remove the rpath as
explained at [3], I'll wait for upstream's voice :-)

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://bugs.debian.org/495756
[2] http://people.debian.org/~che/personal/rpath-considered-harmful
[3] http://wiki.debian.org/RpathIssue
[4] http://thread.gmane.org/gmane.lisp.ecl.general/205/focus=215
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 314 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-common-lisp-devel/attachments/20080825/53f125e5/attachment.pgp 


More information about the pkg-common-lisp-devel mailing list