Package: debian-policy Severity: important Tags: patch Dear Maintainer,
The existing policy does not specify that the RPATH or RUNPATH (if present) should not contain relative paths or paths that traverse dangerous (eg world writable) directories. There is some discussion of this on the OSS-security list starting at: http://seclists.org/oss-sec/2014/q4/761 Example bugs that could be avoided with such a policy: https://bugs.debian.org/754278 https://bugs.debian.org/759868 See also: https://bugs.debian.org/458824 https://bugs.debian.org/555982 There is some good discussion in these last two reports but they are both stale (5 years). I suspect that this is because the scope of these proposals is quite broad. Therefore I'd like to propose a (hopefully uncontraversial) paragraph that addresses at least the security concern and that may provide a base for further refinements in the spirit of #458824 and #555982 as well as a raison d'etre for a future lintian check to help avoid these security exposures. (There is an existing check for RPATH in lintian (binary-or-shlib-defines-rpath) but it is only "Certainty: possible" due to possible caveats. Relative RPATH/RUNPATH on the other hand is slam-dunk certain). > 8.7 RUNPATH and RPATH > > Libraries and executables should not define RPATH or RUNPATH unless > absolutely necessary. > > Those that do should ensure that relative paths or paths that traverse > insecure directories (eg /tmp or /var/tmp) are not included. This > is to prevent an executable from loading a library from an untrusted > location. (This should include the corner cases whereby the path list > starts or ends with a colon, or includes two consecutive colons). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org