Bug 116891 - Contains $RPM_BUILD_ROOT
Summary: Contains $RPM_BUILD_ROOT
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
URL:
Whiteboard:
Keywords: EasyFix, Security
Depends On:
Blocks: FC3Target FC4Target
TreeView+ depends on / blocked
 
Reported: 2004-02-26 00:50 UTC by Enrico Scholz
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-16 12:27:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sed out the unwanted -L directives at %install time (1.90 KB, patch)
2005-04-30 14:56 UTC, Miloslav Trmač
no flags Details | Diff

Description Enrico Scholz 2004-02-26 00:50:37 UTC
Description of problem:

| [ensc@fc-1-90 ensc]$ grep '/usr/src' /usr/lib/*rpm*.la
| /usr/lib/librpm.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmdb.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lelf /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 /usr/lib/libpopt.la -lselinux'
| /usr/lib/librpmbuild.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpm.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lselinux /usr/lib/librpmdb.la /usr/lib/libpopt.la /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 -lelf'
| /usr/lib/librpmdb.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2 /usr/lib/libpopt.la -lelf'
| /usr/lib/librpmio.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2'

(note the '/usr/src/build/343832-i386/install')


Version-Release number of selected component (if applicable):

rpm-devel-4.3-0.9.1 (recent 0.14 too)

Comment 1 Jeff Johnson 2004-02-26 04:34:42 UTC
Yes, necessary to build rpm of one version on system with another
version installed using libtool with relinking during install.

Is this a problem or just an observation?

Comment 2 Enrico Scholz 2004-03-17 01:10:55 UTC
* it's a problem on my machine since my QA scripts are checking for
  such errors and build of 'rpm' package fails therefore

* it is a security risk; I know that there must be a few preconditions 
  fulfilled, but why keep it open when it can be fixed without much 
  effort?

  E.g. on my system, %_tmppath is /var/tmp, an attacker could place 
  malicious libs under /var/tmp/rpm-root/usr/lib and I would link
  against them when using rpm-libs (reclassifying because of this
  simple attack)

* trivial fixes might be:
  - the removal of the *.la files (suggested)
  - manual sed'ing (removing of all '-L[^ ]*' strings should be 
    sufficiently)


Comment 3 Enrico Scholz 2004-07-17 03:29:59 UTC
still with  rpm-4.3.2-0.6.src.rpm 

Comment 4 Warren Togami 2004-11-06 00:17:02 UTC
Please supply a suggested patch.

Comment 5 Enrico Scholz 2004-11-06 00:45:03 UTC
|+ rm -f $RPM_BUILD_ROOT%_libdir/*.la

somewhere in %install

Comment 6 Jeff Johnson 2004-11-26 01:42:32 UTC
*.la are going to stay in rpm.

sed is easy enough to do, no patch needed ;-)

Comment 7 Jeff Johnson 2005-02-09 13:46:52 UTC
*** Bug 147564 has been marked as a duplicate of this bug. ***

Comment 8 Miloslav Trmač 2005-04-30 14:56:51 UTC
Created attachment 113887 [details]
sed out the unwanted -L directives at %install time

The Right Thing would be to remove the -L$(DESTDIR)... -L$(RPM_BUILD_ROOT)...
paths from */Makefile.am, but that doesn't work correctly due to #132435,
and doesnt solve the problem with paths to zlib in $RPM_BUILD_DIR.

Patching ltmain.sh files seems to fragile to me, this patch seems to be
the best short-term solution.

Comment 9 Warren Togami 2005-05-16 09:11:22 UTC
ping nasrat

Comment 10 Paul Nasrat 2005-05-16 12:27:14 UTC
Oops forgot to change bug status

* Sat Apr 30 2005 Miloslav Trmac <mitr@redhat.com> - 4.4.1-12
- Remove $RPM_BUILD_ROOT and $RPM_BUILD_DIR from distribued .la files (#116891)
- Don't ship static version of _rpmdb.so
- BuildRequires: readline-devel



Note You need to log in before you can comment on or make changes to this bug.