Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH

[Martin Carpenter <mcarpenter@free.fr>]

Package: debian-policy
Severity: important
Tags: patch

Dear Maintainer,

The existing policy does not specify that the RPATH or RUNPATH (if
present) should not contain relative paths or paths that traverse
dangerous (eg world writable) directories. There is some discussion
of this on the OSS-security list starting at:
http://seclists.org/oss-sec/2014/q4/761

Example bugs that could be avoided with such a policy:
https://bugs.debian.org/754278
https://bugs.debian.org/759868

See also:
https://bugs.debian.org/458824
https://bugs.debian.org/555982

There is some good discussion in these last two reports but they are
both stale (5 years). I suspect that this is because the scope of these
proposals is quite broad. Therefore I'd like to propose a (hopefully
uncontraversial) paragraph that addresses at least the security concern
and that may provide a base for further refinements in the spirit of
#458824 and #555982 as well as a raison d'etre for a future lintian
check to help avoid these security exposures.

(There is an existing check for RPATH in lintian
(binary-or-shlib-defines-rpath) but it is only "Certainty: possible"
due to possible caveats. Relative RPATH/RUNPATH on the other hand is
slam-dunk certain).

> 8.7 RUNPATH and RPATH
>
> Libraries and executables should not define RPATH or RUNPATH unless
> absolutely necessary.
>
> Those that do should ensure that relative paths or paths that traverse
> insecure directories (eg /tmp or /var/tmp) are not included. This
> is to prevent an executable from loading a library from an untrusted
> location. (This should include the corner cases whereby the path list
> starts or ends with a colon, or includes two consecutive colons).