classification
Title: Avoid '.' as runpath on AIX
Type: security Stage: resolved
Components: Build Versions: Python 3.1, Python 3.2, Python 3.3, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: AIX shared library fix
View: 941346
Assigned To: Nosy List: haubi, pitrou, sable
Priority: normal Keywords: patch

Created on 2011-02-10 14:02 by haubi, last changed 2011-02-26 08:13 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
python-2.7.1-aix-safe-runpath.patch haubi, 2011-02-10 14:02 Avoid recording insecure runpath on AIX.
Messages (3)
msg128293 - (view) Author: Michael Haubenwallner (haubi) * Date: 2011-02-10 14:02
Spotted in issue#941346 msg#128214, the "-L$(srcdir)" should be removed from BLDSHARED on AIX:

The problem is that '-L$(srcdir)' adds '$(srcdir)' to the runpath too (as there is no '-blibpath' argument), opening a security hole for libpythonX.Y.so as well as the modules.so.

As LDLIBRARY points to the immediate file 'libpython$(VERSION).so' instead of '-lpython$(VERSION)', I don't see the need for '-L$(srcdir)' at all.
msg128649 - (view) Author: Sébastien Sablé (sable) Date: 2011-02-16 11:01
This has been corrected for python 3.2 in issue 941346.
Need to be tested on python 2.7.
msg129509 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-02-26 08:13
Now backported as part of issue 941346.
History
Date User Action Args
2011-02-26 08:13:30pitrousetstatus: open -> closed
nosy: pitrou, sable, haubi
messages: + msg129509

superseder: AIX shared library fix
resolution: duplicate
stage: resolved
2011-02-16 11:01:26sablesetnosy: pitrou, sable, haubi
messages: + msg128649
2011-02-10 21:50:09pitrousetnosy: + sable, pitrou
2011-02-10 14:02:59haubicreate