RPATH is a private header of the ELF object format that allows to declare a search path where a shared library that an object depends on can be found. It is considered unsafe because it allows arbitrary code injection by malware installed in such additional search locations. It is usually introduced by passing additional library directories to the compiler (gcc -Lpath).+ /usr/lib/rpm/brp-rpath
ERROR: RPATH "/usr/src/packages/BUILD/ImageMagick-6.6.7-7/magick/.libs" on /usr/src/packages/BUILDROOT/ImageMagick-6.6.7-7.x86_64
/usr/lib/perl5/vendor_perl/5.12.3/x86_64-linux-thread-multi/auto/Image/Magick/Magick.so is not allowed
Note that the declared path /usr/src/packages/BUILD/ImageMagick-6.6.7-7/magick/.libs, apart from introducing a security threat, is obviously not useful at run time.
In this particular case, this abomination is created with the following command:
Code: Select all
LD_RUN_PATH="/usr/src/packages/BUILD/ImageMagick-6.6.7-7/PerlMagick/../magick/.libs" \
cc -shared -L/usr/src/packages/BUILD/ImageMagick-6.6.7-7/magick/.libs \
Magick.o -o blib/arch/auto/Image/Magick/Magick.so \
-L/usr/src/packages/BUILD/ImageMagick-6.6.7-7/PerlMagick/../magick/.libs -lMagickCore -lm \
The command line is generated by MakeMaker, probably from the following input:
Code: Select all
# defaults for LIBS & INC & CCFLAGS params that we later pass to Writemakefile
my $INC_magick = '-I../ -I@top_srcdir@ @CPPFLAGS@ -I"' . $Config{'usrinc'} . '/ImageMagick"';
my $LIBS_magick = '-L../magick/.libs -lMagickCore -lperl @MATH_LIBS@';
my $CCFLAGS_magick = "$Config{'ccflags'} @CFLAGS@";
my $LDFLAGS_magick = "-L../magick/.libs -lMagickCore $Config{'ldflags'} @LDFLAGS@";
my $LDDLFLAGS_magick = "-L../magick/.libs -lMagickCore $Config{'lddlflags'} @LDFLAGS@";
And here is the actual script that does the failing test. It is undocumented but quite readable as a specification of requirements:
Code: Select all
for FILE in $(find $RPM_BUILD_ROOT -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null); do
for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}'); do
if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue;fi
while [ -n "$RPATH_VAL" ]; do
RPATH_VAL_NXT=${RPATH_VAL%%:*}
RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)
case ":$RPATH_VAL_NXT" in
:/usr/lib*)
;;
:/lib*)
;;
:/opt/*/lib*)
;;
:/usr/X11R6/lib*)
;;
*)
echo "ERROR: RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed"
HAD_ERRORS=1
esac
done
done
done
It seems that RPATH is introduced under the influence of $LD_RUN_PATH, unless -fuse-linker-plugin is used. I used explicit @LDFLAGS@ but it turns out that $LDFLAGS is not used for $(INST_DYNAMIC), so it did not help at all.
So here is another weirdness:
(Makefile)# MakeMaker Parameters:
# LDDLFLAGS => q[-L../magick/.libs -lMagickCore -shared -L/usr/local/lib64 -fstack-protector -fuse-linker-plugin]
# LDFLAGS => q[-L../magick/.libs -lMagickCore -L/usr/local/lib64 -fstack-protector -fuse-linker-plugin]
LDDLFLAGS = -shared -L/usr/src/packages/BUILD/ImageMagick-6.6.7-7/magick/.libs
LDFLAGS = -L../magick/.libs -lMagickCore -L/usr/local/lib64 -fstack-protector -fuse-linker-plugin
This phenomenon is caused by the following code in ImageMagick.spec:
Code: Select all
--with-perl-options="INSTALLDIRS=vendor %{?perl_prefix} CC='%__cc -L$PWD/magick/.libs' LDDLFLAGS='-shared -L$PWD/magick/.libs'"