Bug#468341: TOOLDIR path in /usr/bin/gccas and /usr/bin/gccld is incorrect.

Y Giridhar Appaji Nag giridhar at appaji.net
Thu Feb 28 13:11:27 UTC 2008 

Package: llvm
Version: 2.2-1
Severity: important

$ gccld
gccld: This tool is deprecated, please use llvm-ld
/usr/bin/gccld: line 23: /build/buildd/llvm-2.2/debian/tmp/usr/lib/llvm/bin/llvm-ld: No such file or directory
$ 
$ gccas
gccas: This tool is deprecated, please use opt
/usr/bin/gccas: line 64: /build/buildd/llvm-2.2/debian/tmp/usr/lib/llvm/bin/llvm-as: No such file or directory
/usr/bin/gccas: line 64: /build/buildd/llvm-2.2/debian/tmp/usr/lib/llvm/bin/opt: No such file or directory
$ 

This is because the TOOLDIR variable in /usr/bin/gccas and
/usr/bin/gccld has been taken from the build directory and not from the
prefix passed to configure when building.

Note that if the buildd was using a directory in /tmp for building, this
would be a serious security hole because anybody can install a malicious
program at /tmp/path/to/usr/lib/llvm/bin/{llvm-ld,llvm-as,opt} and gain
access to the account of the user using these programs.  Hence I am
marking this as being of severity important, but it would be grave if
any of the Debian buildd's (or your local build environment from which
you build the packages is under /tmp).

Giridhar

-- 
Y Giridhar Appaji Nag | http://www.appaji.net/

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (800, 'unstable'), (700, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages llvm depends on:
ii  binfmt-support          1.2.10           Support for extra binary formats
ii  libc6                   2.7-8            GNU C Library: Shared libraries
ii  libgcc1                 1:4.3-20080202-1 GCC support library
ii  libstdc++6              4.3-20080202-1   The GNU Standard C++ Library v3
ii  llvm-libs               2.2-1            common libraries for LLVM compiler

Versions of packages llvm recommends:
pn  llvm-cfe                      <none>     (no description available)

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-llvm-team/attachments/20080228/5ef519df/attachment-0001.pgp

More information about the Pkg-llvm-team mailing list