Bug#359234: libapache2-svn: modules have trapdoor rpath /tmp/svn
Bill Allombert
allomber at math.u-bordeaux.fr
Mon Mar 27 19:42:31 UTC 2006
On Mon, Mar 27, 2006 at 09:10:48PM +0200, Laszlo Boszormenyi wrote:
> On Mon, 2006-03-27 at 11:57 -0600, Peter Samuelson wrote:
> > [Bill Allombert]
> > > libapache2-svn modules have a rpath pointing to /tmp:
> [...]
> > Extra rpaths are usually
> > quite harmless, but you are right, if a buildd builds things in /tmp,
> > it can be a security problem.
> Err, it seems it was hand compiled. At least the rpath contains
> /tmp/svn/subversion-1.3.0 , then I suspect a hand compilation. At least
> why a buildd would use /tmp/svn/ as a build path?
>
> > I'll take another look as soon as I get a chance.
> IMHO a bin NMU would be enough in this case. But beware: there's a new
> neon package version since then; and I couldn't build the current
> Subversion package in a clean SID chroot due to a segfault building the
> Java bindings.
Hello Laszlo,
A binNMU will change the rpath but not fix the bug:
The alpha binary has a rpath of:
/build/buildd/subversion-1.3.0/BUILD/subversion/libsvn_subr/.libs:/build/buildd/subversion-1.3.0/BUILD/subversion/libsvn_repos/.libs
which is still wrong.
Cheers,
Bill.
More information about the pkg-subversion-maintainers
mailing list