Red Hat Bugzilla – Bug 116891
Last modified: 2007-11-30 17:10:37 EST
Description of problem:
| [ensc@fc-1-90 ensc]$ grep '/usr/src' /usr/lib/*rpm*.la
| /usr/lib/librpm.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmdb.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lelf /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 /usr/lib/libpopt.la -lselinux'
| /usr/lib/librpmbuild.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpm.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lselinux /usr/lib/librpmdb.la /usr/lib/libpopt.la /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 -lelf'
| /usr/lib/librpmdb.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2 /usr/lib/libpopt.la -lelf'
| /usr/lib/librpmio.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2'
(note the '/usr/src/build/343832-i386/install')
Version-Release number of selected component (if applicable):
rpm-devel-4.3-0.9.1 (recent 0.14 too)
Yes, necessary to build rpm of one version on system with another
version installed using libtool with relinking during install.
Is this a problem or just an observation?
* it's a problem on my machine since my QA scripts are checking for
such errors and build of 'rpm' package fails therefore
* it is a security risk; I know that there must be a few preconditions
fulfilled, but why keep it open when it can be fixed without much
E.g. on my system, %_tmppath is /var/tmp, an attacker could place
malicious libs under /var/tmp/rpm-root/usr/lib and I would link
against them when using rpm-libs (reclassifying because of this
* trivial fixes might be:
- the removal of the *.la files (suggested)
- manual sed'ing (removing of all '-L[^ ]*' strings should be
still with rpm-4.3.2-0.6.src.rpm
Please supply a suggested patch.
|+ rm -f $RPM_BUILD_ROOT%_libdir/*.la
somewhere in %install
*.la are going to stay in rpm.
sed is easy enough to do, no patch needed ;-)
*** Bug 147564 has been marked as a duplicate of this bug. ***
Created attachment 113887 [details]
sed out the unwanted -L directives at %install time
The Right Thing would be to remove the -L$(DESTDIR)... -L$(RPM_BUILD_ROOT)...
paths from */Makefile.am, but that doesn't work correctly due to #132435,
and doesnt solve the problem with paths to zlib in $RPM_BUILD_DIR.
Patching ltmain.sh files seems to fragile to me, this patch seems to be
the best short-term solution.
Oops forgot to change bug status
* Sat Apr 30 2005 Miloslav Trmac <email@example.com> - 4.4.1-12
- Remove $RPM_BUILD_ROOT and $RPM_BUILD_DIR from distribued .la files (#116891)
- Don't ship static version of _rpmdb.so
- BuildRequires: readline-devel