oss-sec mailing list archives
Re: Perl 5.32.0 mishandling of rpath and runpath tokens
From: Phil Pennock <oss-security-phil () spodhuis org>
Date: Mon, 20 Jul 2020 10:57:21 -0400
On 2020-07-20 at 04:33 -0400, Jeffrey Walton wrote:
On Mon, Jul 20, 2020 at 4:21 AM Jeffrey Walton <noloader () gmail com> wrote:-Wl,-R,$ORIGIN/../lib -Wl,-R,$HOME/tmp/ok2delete/libMy bad... It does not matter how this $ORIGIN token is quoted. Perl always expands it.
I've encountered this in build systems before, where the quoting is inconsistent and apparently can result in different levels of dequoting for a target depending upon how it was reached. What I've used for building those has been to specify %ORIGIN instead of $ORIGIN and then binary-edit the resulting binary to switch that % back to a $. All quoting issues disappear and all binary offsets are stable. Just make sure the binary-edit step is before any binary signing. :) At some point, it's also worth considering static linking. -Phil
Current thread:
- Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Casper . Dik (Jul 21)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)