Description of problem: | [ensc@fc-1-90 ensc]$ grep '/usr/src' /usr/lib/*rpm*.la | /usr/lib/librpm.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmdb.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lelf /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 /usr/lib/libpopt.la -lselinux' | /usr/lib/librpmbuild.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpm.la -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lselinux /usr/lib/librpmdb.la /usr/lib/libpopt.la /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -lbz2 -lelf' | /usr/lib/librpmdb.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/librpmio.la /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2 /usr/lib/libpopt.la -lelf' | /usr/lib/librpmio.la:dependency_libs=' -L/usr/src/build/343832-i386/install/usr/lib -L/usr/lib /usr/lib/libbeecrypt.la -lrt -lpthread -L/usr/src/build/343832-i386/BUILD/rpm-4.3/zlib -L/usr/local/lib -lbz2' (note the '/usr/src/build/343832-i386/install') Version-Release number of selected component (if applicable): rpm-devel-4.3-0.9.1 (recent 0.14 too)
Yes, necessary to build rpm of one version on system with another version installed using libtool with relinking during install. Is this a problem or just an observation?
* it's a problem on my machine since my QA scripts are checking for such errors and build of 'rpm' package fails therefore * it is a security risk; I know that there must be a few preconditions fulfilled, but why keep it open when it can be fixed without much effort? E.g. on my system, %_tmppath is /var/tmp, an attacker could place malicious libs under /var/tmp/rpm-root/usr/lib and I would link against them when using rpm-libs (reclassifying because of this simple attack) * trivial fixes might be: - the removal of the *.la files (suggested) - manual sed'ing (removing of all '-L[^ ]*' strings should be sufficiently)
still with rpm-4.3.2-0.6.src.rpm
Please supply a suggested patch.
|+ rm -f $RPM_BUILD_ROOT%_libdir/*.la somewhere in %install
*.la are going to stay in rpm. sed is easy enough to do, no patch needed ;-)
*** Bug 147564 has been marked as a duplicate of this bug. ***
Created attachment 113887 [details] sed out the unwanted -L directives at %install time The Right Thing would be to remove the -L$(DESTDIR)... -L$(RPM_BUILD_ROOT)... paths from */Makefile.am, but that doesn't work correctly due to #132435, and doesnt solve the problem with paths to zlib in $RPM_BUILD_DIR. Patching ltmain.sh files seems to fragile to me, this patch seems to be the best short-term solution.
ping nasrat
Oops forgot to change bug status * Sat Apr 30 2005 Miloslav Trmac <mitr> - 4.4.1-12 - Remove $RPM_BUILD_ROOT and $RPM_BUILD_DIR from distribued .la files (#116891) - Don't ship static version of _rpmdb.so - BuildRequires: readline-devel