Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH

To: Martin Carpenter <mcarpenter@free.fr>, 773557@bugs.debian.org
Subject: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
From: Bill Allombert <ballombe@debian.org>
Date: Thu, 5 Feb 2015 23:16:05 +0100
Message-id: <[🔎] 20150205221605.GA28584@yellowpig>
Reply-to: Bill Allombert <ballombe@debian.org>, 773557@bugs.debian.org
In-reply-to: <20141219224949.8179.59578.reportbug@juliet.mcarpenter.org>
References: <20141219224949.8179.59578.reportbug@juliet.mcarpenter.org>

On Fri, Dec 19, 2014 at 11:49:49PM +0100, Martin Carpenter wrote:
> Package: debian-policy
> Severity: important
> Tags: patch
> 
> Dear Maintainer,
> 
> The existing policy does not specify that the RPATH or RUNPATH (if
> present) should not contain relative paths or paths that traverse
> dangerous (eg world writable) directories. There is some discussion
> of this on the OSS-security list starting at:
> http://seclists.org/oss-sec/2014/q4/761
> 
> Example bugs that could be avoided with such a policy:
> https://bugs.debian.org/754278
> https://bugs.debian.org/759868

Alas policy by itself does not prevent bugs, a lintian test is more efficient,

> (There is an existing check for RPATH in lintian
> (binary-or-shlib-defines-rpath) but it is only "Certainty: possible"
> due to possible caveats. Relative RPATH/RUNPATH on the other hand is
> slam-dunk certain).

Then maybe lintian should have a separate test for relative RPATH/RUNPATH.

> There is some good discussion in these last two reports but they are
> both stale (5 years). I suspect that this is because the scope of these
> proposals is quite broad. Therefore I'd like to propose a (hopefully
> uncontraversial) paragraph that addresses at least the security concern
> and that may provide a base for further refinements in the spirit of
> #458824 and #555982 as well as a raison d'etre for a future lintian
> check to help avoid these security exposures.

It is not necessary to document in policy all the obvious invalid behaviours
of packages prior to have them check by lintian.

> > 8.7 RUNPATH and RPATH
> >
> > Libraries and executables should not define RPATH or RUNPATH unless
> > absolutely necessary.
> >
> > Those that do should ensure that relative paths or paths that traverse
> > insecure directories (eg /tmp or /var/tmp) are not included. This
> > is to prevent an executable from loading a library from an untrusted
> > location. (This should include the corner cases whereby the path list
> > starts or ends with a colon, or includes two consecutive colons).

I would further suggest we forbid /usr/lib  and /usr/lib/<multiarch>/,
and only allow RUNPATH to other subdirectories of /usr/lib (to support
what policy call plug-in).

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Reply to:

Prev by Date: Bug#765499: Patch to make policy document 32-bit uids
Next by Date: Bug#666726: debian-policy: Clarify if empty control fields are ollowed or not
Previous by thread: Processed: your mail
Next by thread: Bug#666726: debian-policy: Clarify if empty control fields are ollowed or not
Index(es):
- Date
- Thread