[tor-bugs] #13062 [Tor bundles/installation]: Specifying tor's libevent and openssl directories adds -L/RPATH

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 5 04:03:46 UTC 2014 

#13062: Specifying tor's libevent and openssl directories adds -L/RPATH
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  erinn
         Type:  defect               |     Status:  new
     Priority:  normal               |  Milestone:
    Component:  Tor                  |    Version:
  bundles/installation               |   Keywords:  tbb-security, gitian,
   Resolution:                       |  TorBrowserTeam201409
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------
Description changed by mikeperry:

Old description:

> The configure script to Tor has arguments that allow the specification of
> a non-standard libevent and openssl (--with-libevent-dir=PATH and --with-
> openssl-dir=PATH). Unfortunately, these arguments also add -L to the
> linking step for these directories, which creates an RPATH entry in the
> resulting tor binary such that these directories become part of the
> library search path. For TBB, this results in creating the ability for
> code injection via creation of .so files in /home/ubuntu/install/, as
> reported by this troll`^W`concerned user:
> https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-
> released#comment-74540
>
> I suppose we can set LD_LIBRARY_PATH and C_INCLUDE_PATH prior to
> configure/make instead, which I think will just cause gcc to search these
> directories during build without emitting an RPATH for them.

New description:

 The configure script to Tor has arguments that allow the specification of
 a non-standard libevent and openssl (--with-libevent-dir=PATH and --with-
 openssl-dir=PATH). Unfortunately, these arguments also add -L to the
 linking step for these directories, which creates an RPATH entry in the
 resulting tor binary such that these directories become part of the
 library search path. For TBB, this results in creating the ability for
 code injection via creation of .so files in /home/ubuntu/install/, as
 reported by this troll`^W`concerned user:
 https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-
 released#comment-74540

 I suppose we can set LIBRARY_PATH and C_INCLUDE_PATH prior to
 configure/make instead, which I think will just cause gcc to search these
 directories during build without emitting an RPATH for them.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13062#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list