oss-sec mailing list archives
Re: Perl 5.32.0 mishandling of rpath and runpath tokens
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 20 Jul 2020 11:39:09 -0400
On Mon, Jul 20, 2020 at 10:57 AM Phil Pennock <oss-security-phil () spodhuis org> wrote:
On 2020-07-20 at 04:33 -0400, Jeffrey Walton wrote:On Mon, Jul 20, 2020 at 4:21 AM Jeffrey Walton <noloader () gmail com> wrote:-Wl,-R,$ORIGIN/../lib -Wl,-R,$HOME/tmp/ok2delete/libMy bad... It does not matter how this $ORIGIN token is quoted. Perl always expands it.I've encountered this in build systems before, where the quoting is inconsistent and apparently can result in different levels of dequoting for a target depending upon how it was reached. What I've used for building those has been to specify %ORIGIN instead of $ORIGIN and then binary-edit the resulting binary to switch that % back to a $. All quoting issues disappear and all binary offsets are stable. Just make sure the binary-edit step is before any binary signing. :) At some point, it's also worth considering static linking.
Yeah, I was doing the alternate character for a while. Then Perl came along and I could not figure out all the places it needed to be changed. They spray the rpath in more places than just Makefiles, and they build Makefiles on the fly. I found it's not a simple task to sed the alternate character back out after, say, configure. Related, see https://sourceware.org/pipermail/binutils/2019-June/107108.html. Jeff
Current thread:
- Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Phil Pennock (Jul 20)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Casper . Dik (Jul 21)
- Re: Perl 5.32.0 mishandling of rpath and runpath tokens Jeffrey Walton (Jul 20)