QA tool for RPATH and RPM_BUILD_ROOT checking
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed Mar 17 02:00:18 UTC 2004
Hello,
lots (at least: too much) Fedora Core packages are having files with
paths referring to the build environment. Such paths are
* RPATHS in programs/libraries
when files were linked badly in the build, it may happen that they get
an RPATH into the temporary build environment (RPATH is the path which
is used to resolve libraries).
E.g. when a program '/usr/bin/foo' is linked so that it looks for libraries
in /var/tmp/foo-root/usr/lib, this can be easily exploited. This example
uses $RPM_BUILD_ROOT; more commonly are $RPM_BUILD_DIR rpaths. Although the
latter rpaths are having more preconditions for a successful exploit, they
are still vulnerabilities which must be fixed.
See http://www.securityfocus.com/archive/1/351758/2004-01-27/2004-02-02/0
for a related bugtraq posting.
* $RPM_BUILD_ROOT in files
unfortunately, there are existing lots of packages which do not support
installation into snapshot directories. So, hacks like %makeinstall will
be used which can lead to adding temporary $RPM_BUILD_ROOT paths to the
files. For an example, see /usr/bin/HtFileType from htdig-3.2.0b5-5[1]:
| magic_file=/var/tmp/htdig-root/etc/htdig/HtFileType-magic.mime
~~~~~~~~~~~~~~~~~~~
Beside broken make-systems, there are existing some other reasons for
the inclusion of such paths (e.g. linking against internal copies of
libraries; see /usr/lib/librpm.la of rpm-4.3-0.20[2]).
Such paths are affecting both functionality and security in a negative
manner. E.g. an attacker could place a HtFileType-magic.mime which
causes overflows into the world-writable /var/tmp directory. Or, you
get simple 'No such file' errors.
These kinds of bugs are relativily easy to detect: you have just to
search for uncommon RPATHs and grep for '$RPM_BUILD_ROOT' shortly after
%install. I wrote a small package 'rpm-audit'[3] which hooks into
%%__arch_install_post; perhaps every Fedora package should be checked
with it.
Current flaws are:
* checks for $RPM_BUILD_DIR are not done since there may be legitim
reasons for its occurrence (debug-info)
* all files under $RPM_BUILD_ROOT will be checked; some files which are
%excluded in the %files list may be false positives.
Enrico
Footnotes:
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116442
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116891
[3] http://www.tu-chemnitz.de/~ensc/fedora.us-build/qa/; scripts are
part of fedora.us's fedora-rpmdevtools package too
The .spec file tells how to apply it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040317/5c7e34d2/attachment.sig>
More information about the fedora-devel-list
mailing list