[tor-bugs] #13062 [Tor bundles/installation]: Specifying tor's libevent and openssl directories adds RPATH to resulting binary (was: Specifying tor's libevent and openssl directories adds -L/RPATH)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 5 04:08:25 UTC 2014 

#13062: Specifying tor's libevent and openssl directories adds RPATH to resulting
binary
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  erinn
         Type:  defect               |     Status:  new
     Priority:  normal               |  Milestone:
    Component:  Tor                  |    Version:
  bundles/installation               |   Keywords:  tbb-security, gitian,
   Resolution:                       |  TorBrowserTeam201409
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+-------------------------------------
Changes (by mikeperry):

 * cc: nickm (added)


Old description:

> The configure script to Tor has arguments that allow the specification of
> a non-standard libevent and openssl (--with-libevent-dir=PATH and --with-
> openssl-dir=PATH). Unfortunately, these arguments also add -L to the
> linking step for these directories, which creates an RPATH entry in the
> resulting tor binary such that these directories become part of the
> library search path. For TBB, this results in creating the ability for
> code injection via creation of .so files in /home/ubuntu/install/, as
> reported by this troll`^W`concerned user:
> https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-
> released#comment-74540
>
> I suppose we can set LIBRARY_PATH and C_INCLUDE_PATH prior to
> configure/make instead, which I think will just cause gcc to search these
> directories during build without emitting an RPATH for them.

New description:

 The configure script to Tor has arguments that allow the specification of
 a non-standard libevent and openssl (--with-libevent-dir=PATH and --with-
 openssl-dir=PATH). Unfortunately, these arguments also add -rpath to the
 linking step for these directories, which creates an RPATH entry in the
 resulting tor binary such that these directories become part of the
 library search path. For TBB, this results in creating the ability for
 code injection via creation of .so files in /home/ubuntu/install/, as
 reported by this troll`^W`concerned user:
 https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-
 released#comment-74540

 I suppose we can set LIBRARY_PATH and C_INCLUDE_PATH prior to
 configure/make instead, which I think will just cause gcc to search these
 directories during build without emitting an RPATH for them.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13062#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list