oss-sec mailing list archives
Re: Perl 5.32.0 mishandling of rpath and runpath tokens
From: Casper.Dik () Oracle COM
Date: Tue, 21 Jul 2020 10:12:44 +0200
Hi Everyone, Perl mishandles rpath tokens $ORIGIN, $LIB and $PLATFORM. Also see https://man7.org/linux/man-pages/man8/ld.so.8.html. Building on Linux or Solaris with LDFLAGS that includes a rpath or runpath: -Wl,-R,$ORIGIN/../lib -Wl,-R,$HOME/tmp/ok2delete/lib results in a rpath or runpath similar to below (Solaris is shown): # From $HOME/perl-5.32.0 directory $ elfdump libperl.so | grep PATH [10] RUNPATH 0xaf4d /../lib:/export/home/jwalton/tmp/ok2delete/lib [11] RPATH 0xaf4d /../lib:/export/home/jwalton/tmp/ok2delete/lib Now the interesting thing here is, $ORIGIN was expanded to nothing and /../lib is just /lib. And Solaris /lib directory contains old libraries, like zLib 1.2.8 and Bzip 1.0.6. zLib 1.2.8 and Bzip 1.0.6 have CVEs against them. So rather than use the new zLib and Bzip in $HOME/tmp/ok2delete/lib, Perl uses the old ones with CVEs in /lib.
The current version shipped with Solaris are zlib 1.2.11 and bzip2 1.0.8.
Perl stated they won't fix the problem. Also see https://github.com/Perl/perl5/issues/17534. The best workarounds I have found is to run patchelf (Linux) or editelf (Solaris) on all programs and libraries after 'make' and before 'make check', and after 'make check' and before 'make install'. The procedure has to happen twice because Perl rebuilds some things after 'make', including some shared objects built during 'make check'.
There is another possible solution on Solaris by setting the following
variables in the environment:
LD_UNSET="-R/../lib" (drops -R/../lib; multiple options can be
given)
LD_OPTIONS='-R$ORIGIN/../lib' (multiple options possible here too)
/tmp$ cc foo.c -o foo -R/fuz -R/bar -R/blah
/tmp$ dump -Lv foo | grep RPATH
[5] RPATH /fuz:/bar:/blah
/tmp$ LD_OPTIONS=-R/foo/bar LD_UNSET="-R/fuz -R/bar" cc foo.c -o foo -R/fuz -R/bar -R/blah
ld: warning: unsetting option '-R/fuz': LD_UNSET directed
ld: warning: unsetting option '-R/bar': LD_UNSET directed
/tmp$ dump -Lv foo | grep RPATH [5] RPATH /foo/bar:/blah
Casper
Current thread:
- Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Casper . Dik (Jul 21)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)