Bug 116891
| Summary: | Contains $RPM_BUILD_ROOT | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> | ||||
| Component: | rpm | Assignee: | Paul Nasrat <nobody+pnasrat> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Mike McLean <mikem> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | jorton, wtogami | ||||
| Target Milestone: | --- | Keywords: | EasyFix, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-05-16 12:27:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 123268, 136451 | ||||||
| Attachments: |
|
||||||
|
Description
Enrico Scholz
2004-02-26 00:50:37 UTC
Yes, necessary to build rpm of one version on system with another version installed using libtool with relinking during install. Is this a problem or just an observation? * it's a problem on my machine since my QA scripts are checking for
such errors and build of 'rpm' package fails therefore
* it is a security risk; I know that there must be a few preconditions
fulfilled, but why keep it open when it can be fixed without much
effort?
E.g. on my system, %_tmppath is /var/tmp, an attacker could place
malicious libs under /var/tmp/rpm-root/usr/lib and I would link
against them when using rpm-libs (reclassifying because of this
simple attack)
* trivial fixes might be:
- the removal of the *.la files (suggested)
- manual sed'ing (removing of all '-L[^ ]*' strings should be
sufficiently)
still with rpm-4.3.2-0.6.src.rpm Please supply a suggested patch. |+ rm -f $RPM_BUILD_ROOT%_libdir/*.la somewhere in %install *.la are going to stay in rpm. sed is easy enough to do, no patch needed ;-) *** Bug 147564 has been marked as a duplicate of this bug. *** Created attachment 113887 [details]
sed out the unwanted -L directives at %install time
The Right Thing would be to remove the -L$(DESTDIR)... -L$(RPM_BUILD_ROOT)...
paths from */Makefile.am, but that doesn't work correctly due to #132435,
and doesnt solve the problem with paths to zlib in $RPM_BUILD_DIR.
Patching ltmain.sh files seems to fragile to me, this patch seems to be
the best short-term solution.
ping nasrat Oops forgot to change bug status * Sat Apr 30 2005 Miloslav Trmac <mitr> - 4.4.1-12 - Remove $RPM_BUILD_ROOT and $RPM_BUILD_DIR from distribued .la files (#116891) - Don't ship static version of _rpmdb.so - BuildRequires: readline-devel |