Bug#495756: ecl has rpath to insecure location (/tmp/buildd/ecl-0.9j-20080306/build/)
luca at pca.it
Mon Aug 25 21:54:26 UTC 2008
For the ECL list: this is a 'serious' bug in the Debian BTS . For
the reason why rpath is considered harmful by Debian see  and .
Please don't Cc: me, I read the list. However, please keep the Debian
bug cc:ed (no need to subscribe), I set the M-F-T and R-T to both the
bug and the mailing list to facilitate the above :-)
On Wed, 20 Aug 2008 10:55:51 +0200, Bill Allombert wrote:
> Hello Debian Common Lisp Team,
> ecl includes a ELF file /usr/lib/ecl/asdf.fas with a rpath pointing to
If I'm not wrong, this is a design decision, which seems to be
officially documented at . However, it's strange that the rpath is
pointing to /tmp/... and not /usr/lib/ecl/.
> This allows an attacker with write access to that directory to
> add modified libraries which will be loaded when someone
> else run ecl.
I've added the ECL list to cc:. While I can easily remove the rpath as
explained at , I'll wait for upstream's voice :-)
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 314 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-common-lisp-devel/attachments/20080825/53f125e5/attachment.pgp
More information about the pkg-common-lisp-devel