New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Bug] Insecure runpaths in /usr/bin/OpenCOLLADAValidator #449
Comments
Can you please submit a PR with the fixes you want ? Thanks |
@RemiArnaud I'm not that good at CMake, but I have one solution that's kinda hackish just to test if link_directories was really the cause of the insecure runpath issue. I will look to see if there is a cleaner solution to use. I will show you what I did to see if there is any other ideas, because, like I said, this was just to get it to compile and see if there is any insecure runpath errors. Is there a test OpenCollada file that is used to test all features of the validator, so I can see if it works right? set(name OpenCOLLADAValidator)
project(${name})
set(libValidator_include_dirs
${CMAKE_CURRENT_SOURCE_DIR}/include
)
set(libValidator_include_dirs ${libValidator_include_dirs} PARENT_SCOPE) # adding include dirs to a parent scope
set(SRC
src/main.cpp
src/ValidationErrorHandler.cpp
include/ValidationErrorHandler.h
include/Writer.h
)
add_library(OpenCOLLADASaxFrameworkLoader STATIC IMPORTED)
set_target_properties(OpenCOLLADASaxFrameworkLoader PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libOpenCOLLADASaxFrameworkLoader.so)
add_library(GeneratedSaxParser STATIC IMPORTED)
set_target_properties(GeneratedSaxParser PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libGeneratedSaxParser.so)
add_library(OpenCOLLADAFramework STATIC IMPORTED)
set_target_properties(OpenCOLLADAFramework PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libOpenCOLLADAFramework.so)
add_library(OpenCOLLADABaseUtils STATIC IMPORTED)
set_target_properties(OpenCOLLADABaseUtils PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libOpenCOLLADABaseUtils.so)
add_library(MathMLSolver STATIC IMPORTED)
set_target_properties(MathMLSolver PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libMathMLSolver.so)
add_library(UTF STATIC IMPORTED)
set_target_properties(UTF PROPERTIES IMPORTED_LOCATION ${LIBRARY_OUTPUT_PATH}/libUTF.so)
set(libValidator_libs
OpenCOLLADASaxFrameworkLoader
GeneratedSaxParser
OpenCOLLADAFramework
OpenCOLLADABaseUtils
MathMLSolver
${PCRE_LIBRARIES}
${LIBXML2_LIBRARIES}
UTF
)
include_directories(
${libValidator_include_dirs}
${libBaseUtils_include_dirs}
${libFramework_include_dirs}
${libSaxFrameworkLoader_include_dirs}
${libGeneratedSaxParser_include_dirs}
)
add_executable(${name} ${SRC})
target_link_libraries(${name} ${libValidator_libs})
add_dependencies(${name} ${CMAKE_REQUIRED_LIBRARIES}) |
It turns out that CMake has built in functions to handle insecure runpaths, so I was able to make a simple patch: #450 Thanks, |
Thank for the contribution |
Hi,
This issue has gone on for a long time, but since I just took up maintainership with Gentoo, it hasn't been reported here before. There are strict checks that happen to binaries, and these checks determined that there are insecure runpaths in OpenCOLLADAValidator.
The relevant bug report is here: Gentoo Bug 439530
The full complete build log with the insecure runpath message is here: Build Log
We think it stems from the use of "link_directories". The replacement command that is recommended is "target_link_libraries":
The files containing "link_directories" are:
We use an external version of LibXML, but the validator does have link_directories.
I hope you can fix this issue as it's a potential security bug.
Kind regards,
Jon
The text was updated successfully, but these errors were encountered: