[tor-bugs] #13062 [Tor bundles/installation]: Specifying tor's libevent and openssl directories adds -L/RPATH
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 5 03:59:44 UTC 2014
#13062: Specifying tor's libevent and openssl directories adds -L/RPATH
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner: erinn
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: tbb-security, gitian, | Actual Points:
TorBrowserTeam201409 | Points:
Parent ID: |
-------------------------------------------------+-------------------------
The configure script to Tor has arguments that allow the specification of
a non-standard libevent and openssl (--with-libevent-dir=PATH and --with-
openssl-dir=PATH). Unfortunately, these arguments also add -L to the
linking step for these directories, which creates an RPATH entry in the
resulting tor binary such that these directories become part of the
library search path. For TBB, this results in creating the ability for
code injection via creation of .so files in /home/ubuntu/install/, as
reported by this troll`^W`concerned user:
https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-
released#comment-74540
I suppose we can set LD_LIBRARY_PATH and C_INCLUDE_PATH prior to
configure/make instead, which I think will just cause gcc to search these
directories during build without emitting an RPATH for them.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13062>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list