diff options
author | Mike Frysinger <vapier@gentoo.org> | 2009-02-26 04:03:10 +0000 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2009-02-26 04:03:10 +0000 |
commit | ad2974ab0c443e64f614d7afca0c4bd0facced16 (patch) | |
tree | a5ba5f34e91e7b7bce9cfbf3aa1e4fd389778d15 | |
parent | 8b87db77e853bc33632608e26b0ac2f15eb10581 (diff) | |
download | portage-ad2974ab0c443e64f614d7afca0c4bd0facced16.tar.gz portage-ad2974ab0c443e64f614d7afca0c4bd0facced16.tar.bz2 portage-ad2974ab0c443e64f614d7afca0c4bd0facced16.zip |
reject all set*id binaries that have DT_RPATH:$ORIGIN #260331
svn path=/main/trunk/; revision=12712
-rwxr-xr-x | bin/misc-functions.sh | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh index 472beb274..b2796bd50 100755 --- a/bin/misc-functions.sh +++ b/bin/misc-functions.sh @@ -73,14 +73,19 @@ install_qa_check() { # (older, broken libtools would do this). Also check for null paths # because the loader will search $PWD when it finds null paths. f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )") - if [[ -n ${f} ]] ; then + # Reject set*id binaries with $ORIGIN in RPATH #260331 + x=$( + find "${D}" -type f -perm /6000 -print0 | xargs -0 \ + scanelf -qyRF '%r %p' | grep '$ORIGIN' + ) + if [[ -n ${f}${x} ]] ; then vecho -ne '\a\n' eqawarn "QA Notice: The following files contain insecure RUNPATH's" eqawarn " Please file a bug about this at http://bugs.gentoo.org/" eqawarn " with the maintaining herd of the package." - eqawarn "${f}" + eqawarn "${f}${f:+${x:+\n}}${x}" vecho -ne '\a\n' - if has stricter ${FEATURES} ; then + if [[ -n ${x} ]] || has stricter ${FEATURES} ; then insecure_rpath=1 else vecho "Auto fixing rpaths for ${f}" |