| Summary: | bad wrapper for gdal tools | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | eric gerbier <eric.gerbier> |
| Component: | RPM Packages | Assignee: | David GEIGER <geiger.david68210> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | Normal | CC: | geiger.david68210, lewyssmith, tmb |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | gdal-2.4.1-2.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 25809 | ||
| Bug Blocks: | |||
|
Description
eric gerbier
2020-01-23 09:29:59 CET
No need to duplicate a bug, we are already on it here: https://bugs.mageia.org/show_bug.cgi?id=25809 CC:
(none) =>
geiger.david68210
Lewis Smith
2020-01-23 20:34:25 CET
Blocks:
(none) =>
25809 This is a bit confusing, David. Bug 25809 is about: gdal new security issue CVE-2019-17545 This problem was discovered there, but is a different issue. BTAIM In https://bugs.mageia.org/show_bug.cgi?id=25809#c6 Eric offers a solution. So I am daring to: - Block 25809 on this one 26122 - Set this one 26122 as blocking the other 25809 For convenience, copied below are comments 5 & 6 from the security bug: ------------------------------------- David GEIGER 2020-01-23 09:09:00 CET Hmmm! yes strange this issue! and we have this problem for a while apparently. The gdalinfo script says: #!/usr/bin/sh # gdalinfo - temporary wrapper script for .libs/gdalinfo # Generated by libtool (GNU libtool) 2.4.6 # # The gdalinfo program cannot be directly executed until all the libtool # libraries that it depends on are installed. # # This wrapper script should never be moved out of the build directory. # If it is, it will not operate correctly. # Sed substitution that helps us do robust quoting. It backslashifies # metacharacters that are still active within double-quoted strings. The real problem is that gdalinfo should be a binary and not just a script. I tried locally to find what is going wrong but without success. ------------------------------------- eric gerbier 2020-01-23 13:48:36 CET I have an answer : the problems comes first from the install target in the makefile for apps directory $ diff -u apps/GNUmakefile.orig apps/GNUmakefile --- apps/GNUmakefile.orig 2020-01-23 13:43:42.990620775 +0100 +++ apps/GNUmakefile 2020-01-23 11:35:46.774852333 +0100 @@ -216,6 +216,8 @@ install: default for f in $(BIN_LIST) ; do $(INSTALL) $$f $(DESTDIR)$(INST_BIN) ; done + mkdir -p $(DESTDIR)$(INST_BIN)/.libs + for f in $(BIN_LIST) ; do $(INSTALL) .libs/$$f $(DESTDIR)$(INST_BIN)/.libs ; done $(INSTALL_DATA) gdal_utils.h $(DESTDIR)$(INST_INCLUDE) $(INSTALL) gdal-config-inst $(DESTDIR)$(INST_BIN)/gdal-config this will install also the real binaries in .libs directory the second change will be in gdal spec file : diff -u gdal.spec.orig gdal.spec --- gdal.spec.orig 2020-01-23 13:45:44.543398861 +0100 +++ gdal.spec 2020-01-23 13:45:52.873589247 +0100 @@ -256,7 +256,6 @@ %doc NEWS VERSION %{_datadir}/gdal %{_bindir}/* -%{_bindir}/.libs/* %{_mandir}/man1/* %{_datadir}/bash-completion/completions/* %exclude %{_bindir}/gdal-config this will include the real binaries in rpm package -------------------------------------------------- Assigning to you DavidG as already looking at the fault. I would leave the security bug alone until this problem is sorted, then it can be re-tested. Complain if you disagree; I am CC'd on both. Assignee:
bugsquad =>
geiger.david68210
David Walser
2020-01-23 21:45:21 CET
Depends on:
(none) =>
25809 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0068.html Resolution:
(none) =>
FIXED |