https://bugs.openldap.org/show_bug.cgi?id=9296
Issue ID: 9296 Summary: OpenLDAP mishandles rpath and runpath tokens Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: build Assignee: bugs@openldap.org Reporter: noloader@gmail.com Target Milestone: ---
Hi Everyone,
I'm building OpenLDAP 2.4.50 release tarball on multiple operating systems. I've noticed there's a couple of issues with rpaths and runpaths.
I configure OpenLDAP it includes the following LDFLAGS:
LDFLAGS: -Wl,-R,'$ORIGIN/../lib' -Wl,-R,/export/home/jwalton/tmp/ok2delete/lib
When I audit the result programs and shared objects, I see two issues. First, the rpaths and runpaths have been reordered. Second, rpath and runpath tokens were not preserved. The tokens include $ORIGIN, $LIB and $PLATFORM (see the ld.so(8) man page). In fact, the rpath and runpath seem to have been expanded to nothing.
This is from Solaris.
/export/home/jwalton/tmp/ok2delete/lib/libldap-2.4.so.2.10.13:
RUNPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib RPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib
And:
/export/home/jwalton/tmp/ok2delete/lib/libldap_r-2.4.so.2.10.13:
RUNPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib RPATH /export/home/jwalton/tmp/ok2delete/lib:/../lib
Expanding '$ORIGIN/../lib' to '/../lib' is especially problematic. '/../lib' is just '/lib', so OpenLDAP is runtime linking to the wrong libraries, like like zLib 1.2.8 and Bzip 1.0.6. Libraries like zLib 1.2.8 and Bzip 1.0.6 have active CVEs against them. It is better to runtime link against the new libraries I provide.
https://bugs.openldap.org/show_bug.cgi?id=9296
noloader@gmail.com noloader@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- OS|All |Solaris Version|unspecified |2.4.50 Hardware|All |x86_64
https://bugs.openldap.org/show_bug.cgi?id=9296
--- Comment #1 from noloader@gmail.com noloader@gmail.com --- And it looks like OpenLDAP is fix-resistant. I fix the rpath and runpath twice, but OpenLDAP builds new libraries at 'make install'.
Here's the procedure I follow. fix-makefiles.sh and fix-rpaths.sh are my scripts.
./configure ./fix-makefiles.sh # escape dollar signs: $ORIGIN -> $$ORIGIN make ./fix-rpaths.sh # use patchelf or editelf to fix rpath and runpath make check ./fix-rpaths.sh # use patchelf or editelf to fix rpath and runpath make install
You are not supposed to build anything during 'make install'.
https://bugs.openldap.org/show_bug.cgi?id=9296
--- Comment #2 from Howard Chu hyc@openldap.org --- (In reply to noloader@gmail.com from comment #1)
You are not supposed to build anything during 'make install'.
True. Unfortunately, this is libtool doing its thing. We've fixed this multiple times in the past by hacking up our own copy of libtool to prevent it, but then we're forced to update to the latest vanilla libtool and go through it all again.
You really need to report this as a bug to the libtool maintainers.
https://bugs.openldap.org/show_bug.cgi?id=9296
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Not an OpenLDAP bug, please report to the libtool developers.
https://bugs.openldap.org/show_bug.cgi?id=9296
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=9296
noloader@gmail.com noloader@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |FIXED
--- Comment #4 from noloader@gmail.com noloader@gmail.com --- (In reply to Howard Chu from comment #2)
(In reply to noloader@gmail.com from comment #1)
You are not supposed to build anything during 'make install'.
True. Unfortunately, this is libtool doing its thing.
I think I caused the problem of building during install. I did not save/restore the timestamp, which caused the rebuild.
Once the timestamp was preserved, the 'make install' build problem went away.
# for each program and shared object touch -a -m -r "$file" "file.timestamp" chmod a+w "$file" patchelf --set-rpath "$FIXED_RUNPATH" "$file" chmod go-w "$file" touch -a -m -r "file.timestamp" "$file"
Another thing I noticed... OpenLDAP's shared objects are not a+x. A 'find ... -type f -executable ...' does not find them.
https://bugs.openldap.org/show_bug.cgi?id=9296
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |INVALID
-
openldap-its@openldap.org