LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-09-2014, 11:45 AM   #1
DarkVision
Member
 
Registered: Jul 2007
Posts: 199

Rep: Reputation: Disabled
rpath points to /tmp... in libiodbc and some other packages?


I just checked the changelog and found this:
Quote:
d/llvm-3.3-i486-3.txz: Rebuilt.
The LLVM package included binaries with an rpath pointing to the build
location in /tmp. This allows an attacker with write access to /tmp to
add modified libraries (and execute arbitrary code) as any user running
the LLVM binaries. This updated package rebuilds LLVM to exclude the
build directories from the rpath information.
So rpath pointing to the build directory may be a security problem?

I did a readelf on some directories (/usr/bin and /usr/lib64) and found this:
Quote:
0x000000000000000f (RPATH) Library rpath: [/tmp/libiodbc-3.52.7/iodbc/.libs]
It looks like that some files of the libiodbc package also include the rpath data.

Is this the same problem as for llvm?

I did a small google search and found that ARCH Linux is removing the rpath data from libiodbc by using this command:
Code:
chrpath -d ${pkgdir}/usr/bin/iodbctest{,w}
chrpath is not part of Slackware but at least some other distros are removing the rpath data from libiodbc.

Some more files with an rpath:
Quote:
0x000000000000000f (RPATH) Library rpath: [/tmp/subversion-1.7.13/subversion/libsvn_client/.libs:/tmp/subversion-1.7.13/subversion/libsvn_delta/.libs:/tmp/subversion-1.7.13/subversion/libsvn_fs/.libs:/tmp/subversion-1.7.13/subversion/libsvn_ra/.libs:/tmp/subversion-1.7.13/subversion/libsvn_repos/.libs:/tmp/subversion-1.7.13/subversion/libsvn_wc/.libs:/tmp/subversion-1.7.13/subversion/libsvn_diff/.libs:/tmp/subversion-1.7.13/subversion/libsvn_subr/.libs:/tmp/subversion-1.7.13/subversion/bindings/swig/perl/libsvn_swig_perl/.libs]
0x000000000000000f (RPATH) Library rpath: [/tmp/ImageMagick-6.7.7-10/PerlMagick/../magick/.libs]
0x000000000000000f (RPATH) Library rpath: [/tmp/qt-everywhere-opensource-src-4.8.2/src/3rdparty/webkit/Source/lib:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtGui:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtDBus:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtOpenGL:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtDeclarative:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtDesigner:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/PyQt-x11-gpl-4.9.1/qpy/QtCore:/usr/lib64/qt/lib]
0x000000000000000f (RPATH) Library rpath: [/tmp/libplist-1.4/build/src]
0x000000000000000f (RPATH) Library rpath: [/tmp/kde-build/kdewebdev/package-kdewebdev/usr/lib64:/usr/lib64/qt/lib]
I don't know much about this rpath thing, maybe some one can explain this to me.

EDIT: Tested on Slackware 14.0

Last edited by DarkVision; 01-09-2014 at 11:47 AM. Reason: EDIT
 
Old 01-09-2014, 01:45 PM   #2
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,307
Blog Entries: 4

Rep: Reputation: Disabled
Yes, that build of libiodbc is exhibiting the same insecurity as the previous build of llvm.

ELF binaries optionally include a character string that names the directory from which libraries will be loaded. This is colloquially known as the rpath, although there are really two such ELF fields, see https://wiki.debian.org/RpathIssue (which explains about how this relates to other mechanisms such as LD_LIBRARY_PATH).

Normally libtool, cmake etc will set this to an empty string during the build process. Subsequently, the 'chrpath' command can set this to anything, so long as it fits in the original character string field, which is an ugly hack really. Not all upstream packages are as careful about this as they should be, and some of them think rpaths are useful for the upstream devs, and getting rid of them is the packager's responsibility

The problem is that any process which can create directories and files in /tmp (i.e., any process ) could potentially drop a library into (for example) /tmp/ImageMagick-6.7.7-10/magick/.libs which would do something bad (instead of the intended actions) when something else invokes an ImageMagick command. If 'something else' is a root process, 'something bad' would be done as root, which is as bad as it gets.

As an old Multics user, my opinion is that having so many mechanisms for finding libraries, especially having hardcoded paths in executables, is a recipe for confusion and disaster, but the rarity of actual real world disasters shows that I'm only right about the confusion thing
 
1 members found this post helpful.
Old 01-10-2014, 01:24 AM   #3
DarkVision
Member
 
Registered: Jul 2007
Posts: 199

Original Poster
Rep: Reputation: Disabled
Exclamation

Thank you for the explanation.

I did some more research on this issue and found this page from the fedora-project. At the end of the page there are some methods mentioned for how to fix this on packages.

I tried those two sed-lines and they seem to fix rpath on the libiodbc package.

For imagemagick i used this patch from ArchLinux.

For PyQt4 i used a similar sed-command from the Gentoo-Team.

The libplist package could be fixed by adding -DCMAKE_SKIP_RPATH:BOOL=True to the cmake command.

I have to do a fresh install of Slackware 14.1 and check if these (and maybe other) packages are still affected by that.

I'm not sure if it is worth all the effort. If some one has write-access to my system, then something else went wrong.

Last edited by DarkVision; 01-10-2014 at 01:26 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
try using -rpath or -rpath-link knobby67 Programming 5 11-12-2015 03:04 PM
[SOLVED] Another compilation error (plasma-runtime). -rpath -rpath-link davepi Gentoo 1 08-21-2012 10:04 AM
Can't login, says tmp directory full but tmp file is empty! Could be linked to MySQL? bethanlowder Fedora 7 09-25-2009 08:17 AM
.dsl packages downloaded from repo not in /tmp ,cant find them nowhere firedancer DamnSmallLinux 8 01-24-2008 03:08 PM
/var/tmp/ full of .deb packages phats_O Debian 3 05-14-2005 10:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration