QA tool for RPATH and RPM_BUILD_ROOT checking

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Wed Mar 17 02:00:18 UTC 2004


Hello,

lots (at least: too much) Fedora Core packages are having files with
paths referring to the build environment. Such paths are

* RPATHS in programs/libraries

  when files were linked badly in the build, it may happen that they get
  an RPATH into the temporary build environment (RPATH is the path which
  is used to resolve libraries).

  E.g. when a program '/usr/bin/foo' is linked so that it looks for libraries
  in /var/tmp/foo-root/usr/lib, this can be easily exploited. This example
  uses $RPM_BUILD_ROOT; more commonly are $RPM_BUILD_DIR rpaths. Although the
  latter rpaths are having more preconditions for a successful exploit, they
  are still vulnerabilities which must be fixed.

  See http://www.securityfocus.com/archive/1/351758/2004-01-27/2004-02-02/0
  for a related bugtraq posting.


* $RPM_BUILD_ROOT in files

  unfortunately, there are existing lots of packages which do not support
  installation into snapshot directories.  So, hacks like %makeinstall will
  be used which can lead to adding temporary $RPM_BUILD_ROOT paths to the
  files.  For an example, see /usr/bin/HtFileType from htdig-3.2.0b5-5[1]:

  | magic_file=/var/tmp/htdig-root/etc/htdig/HtFileType-magic.mime
               ~~~~~~~~~~~~~~~~~~~

  Beside broken make-systems, there are existing some other reasons for
  the inclusion of such paths (e.g. linking against internal copies of
  libraries; see /usr/lib/librpm.la of rpm-4.3-0.20[2]).


  Such paths are affecting both functionality and security in a negative
  manner. E.g. an attacker could place a HtFileType-magic.mime which
  causes overflows into the world-writable /var/tmp directory. Or, you
  get simple 'No such file' errors.



These kinds of bugs are relativily easy to detect: you have just to
search for uncommon RPATHs and grep for '$RPM_BUILD_ROOT' shortly after
%install. I wrote a small package 'rpm-audit'[3] which hooks into
%%__arch_install_post; perhaps every Fedora package should be checked
with it.

Current flaws are:
* checks for $RPM_BUILD_DIR are not done since there may be legitim
  reasons for its occurrence (debug-info)

* all files under $RPM_BUILD_ROOT will be checked; some files which are
  %excluded in the %files list may be false positives.
   


Enrico

Footnotes: 
[1]  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116442
[2]  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116891
[3]  http://www.tu-chemnitz.de/~ensc/fedora.us-build/qa/; scripts are
     part of fedora.us's fedora-rpmdevtools package too
     The .spec file tells how to apply it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040317/5c7e34d2/attachment.sig>


More information about the fedora-devel-list mailing list