Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

[security] Build-time RPATH in gems' .so #2873

Open
r-stu31 opened this Issue Jan 6, 2014 · 2 comments

Comments

Projects
None yet
3 participants
Contributor

r-stu31 commented Jan 6, 2014

Shared object libraries installed with gems include RPATH with build-time path. This is wrong and has security implications. Example using Rubinius built on 1.1.2014 from the /tmp/rubinius directory and installed to /opt/rubinius_2014010100:

$ readelf -d /opt/rubinius_2014010100/gems/gems/rubysl-openssl-2.0.5/lib/openssl/openssl.so | fgrep RPATH
 0x000000000000000f (RPATH)              Library rpath: [/tmp/rubinius/staging/lib:/usr/pkg/lib]

The path /tmp/rubinius/staging/lib should not be there (the path /usr/pkg/lib is correct).

Owner

dbussink commented Jan 6, 2014

Does this also happen if you build with --without-rpath?

Contributor

r-stu31 commented Jan 6, 2014

No, with --without-rpath is the RPATH correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment