Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux Development (http://www.linux-archive.org/archlinux-development/)
-   -   Buggy krb5-config script (http://www.linux-archive.org/archlinux-development/557908-buggy-krb5-config-script.html)

Jan de Groot 07-28-2011 12:26 PM

Buggy krb5-config script
 
This morning when Ionut was trying to update gtk3, he noticed that the
CUPS print backend would pull in libgcrypt, which is no longer needed,
as GnuTLS depends on nettle now instead of libgcrypt. This bug was
quickly resolved with a short patch from Fedora.

After fixing CUPS, we found out that CUPS would pull in a lot of other
libraries and weird CFLAGS in the cups-config output:

$ cups-config --libs
-lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
-I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
-Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
-lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt

Notice the weird CFLAGS that are copied into the LDFLAGS now. These
flags don't come from CUPS, but from krb5:

CFLAGS=test krb5-config --libs
$ CFLAGS=test krb5-config --libs
test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
-lkeyutils -lresolv -ldl

So it turns out krb5-config is plain wrong here. Fedora has a patch for
this:
http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD

Another quite useful patch would be this:
http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD

I'm not sure about the whole library fixup things they're doing in the
first patch, but most important will be the first section of the part
that is applied to krb5-config.in.

OK to apply this? As krb5 is a dependency of quite some packages, this
would reduce lots of unneeded libs those packages.

Dave Reisner 07-28-2011 12:53 PM

Buggy krb5-config script
 
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the
> CUPS print backend would pull in libgcrypt, which is no longer needed,
> as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> quickly resolved with a short patch from Fedora.
>
> After fixing CUPS, we found out that CUPS would pull in a lot of other
> libraries and weird CFLAGS in the cups-config output:
>
> $ cups-config --libs
> -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
>
> Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> flags don't come from CUPS, but from krb5:
>
> CFLAGS=test krb5-config --libs
> $ CFLAGS=test krb5-config --libs
> test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> -lkeyutils -lresolv -ldl
>
> So it turns out krb5-config is plain wrong here. Fedora has a patch for
> this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD
>
> Another quite useful patch would be this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD
>
> I'm not sure about the whole library fixup things they're doing in the
> first patch, but most important will be the first section of the part
> that is applied to krb5-config.in.
>
> OK to apply this? As krb5 is a dependency of quite some packages, this
> would reduce lots of unneeded libs those packages.
>
>

The second patch makes sense to me -- if we don't fix this, we'll have
to add all these useless deps to the packaging. The first patch mostly
just looks like standard hardening that Fedora does. I wouldn't be
opposed to this, pending Allan's input since we're looking at a global
rebuild in the near future (pacman4). I know that he's planning to
enable relro and PIE, but not -z,now iirc.

dave

Dave Reisner 07-28-2011 12:53 PM

Buggy krb5-config script
 
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the
> CUPS print backend would pull in libgcrypt, which is no longer needed,
> as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> quickly resolved with a short patch from Fedora.
>
> After fixing CUPS, we found out that CUPS would pull in a lot of other
> libraries and weird CFLAGS in the cups-config output:
>
> $ cups-config --libs
> -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
>
> Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> flags don't come from CUPS, but from krb5:
>
> CFLAGS=test krb5-config --libs
> $ CFLAGS=test krb5-config --libs
> test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> -lkeyutils -lresolv -ldl
>
> So it turns out krb5-config is plain wrong here. Fedora has a patch for
> this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD
>
> Another quite useful patch would be this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD
>
> I'm not sure about the whole library fixup things they're doing in the
> first patch, but most important will be the first section of the part
> that is applied to krb5-config.in.
>
> OK to apply this? As krb5 is a dependency of quite some packages, this
> would reduce lots of unneeded libs those packages.
>
>

The second patch makes sense to me -- if we don't fix this, we'll have
to add all these useless deps to the packaging. The first patch mostly
just looks like standard hardening that Fedora does. I wouldn't be
opposed to this, pending Allan's input since we're looking at a global
rebuild in the near future (pacman4). I know that he's planning to
enable relro and PIE, but not -z,now iirc.

dave

Dave Reisner 07-28-2011 12:53 PM

Buggy krb5-config script
 
On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> This morning when Ionut was trying to update gtk3, he noticed that the
> CUPS print backend would pull in libgcrypt, which is no longer needed,
> as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> quickly resolved with a short patch from Fedora.
>
> After fixing CUPS, we found out that CUPS would pull in a lot of other
> libraries and weird CFLAGS in the cups-config output:
>
> $ cups-config --libs
> -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
>
> Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> flags don't come from CUPS, but from krb5:
>
> CFLAGS=test krb5-config --libs
> $ CFLAGS=test krb5-config --libs
> test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> -lkeyutils -lresolv -ldl
>
> So it turns out krb5-config is plain wrong here. Fedora has a patch for
> this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-buildconf.patch;h=85173cf833ab030f4ce787d01b1f5137 fcd339a3;hb=HEAD
>
> Another quite useful patch would be this:
> http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodeplibs.patch;h=e7f7c6834bb4273fdcca4b879dcb2325 96c1494e;hb=HEAD
>
> I'm not sure about the whole library fixup things they're doing in the
> first patch, but most important will be the first section of the part
> that is applied to krb5-config.in.
>
> OK to apply this? As krb5 is a dependency of quite some packages, this
> would reduce lots of unneeded libs those packages.
>
>

The second patch makes sense to me -- if we don't fix this, we'll have
to add all these useless deps to the packaging. The first patch mostly
just looks like standard hardening that Fedora does. I wouldn't be
opposed to this, pending Allan's input since we're looking at a global
rebuild in the near future (pacman4). I know that he's planning to
enable relro and PIE, but not -z,now iirc.

dave

Stéphane Gaudreault 07-28-2011 03:17 PM

Buggy krb5-config script
 
Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
> On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> > This morning when Ionut was trying to update gtk3, he noticed that the
> > CUPS print backend would pull in libgcrypt, which is no longer needed,
> > as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> > quickly resolved with a short patch from Fedora.
> >
> > After fixing CUPS, we found out that CUPS would pull in a lot of other
> > libraries and weird CFLAGS in the cups-config output:
> >
> > $ cups-config --libs
> > -lcups -march=x86-64 -mtune=generic -O2 -pipe -I/usr/include/dbus-1.0
> > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
> >
> > Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> > flags don't come from CUPS, but from krb5:
> >
> > CFLAGS=test krb5-config --libs
> > $ CFLAGS=test krb5-config --libs
> > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
> > -lkeyutils -lresolv -ldl
> >
> > So it turns out krb5-config is plain wrong here. Fedora has a patch for
> > this:
> > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1-bui
> > ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd 339a3;hb=HEAD
> >
> > Another quite useful patch would be this:
> > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-nodep
> > libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c14 94e;hb=HEAD
> >
> > I'm not sure about the whole library fixup things they're doing in the
> > first patch, but most important will be the first section of the part
> > that is applied to krb5-config.in.
> >
> > OK to apply this? As krb5 is a dependency of quite some packages, this
> > would reduce lots of unneeded libs those packages.
>
> The second patch makes sense to me -- if we don't fix this, we'll have
> to add all these useless deps to the packaging. The first patch mostly
> just looks like standard hardening that Fedora does. I wouldn't be
> opposed to this, pending Allan's input since we're looking at a global
> rebuild in the near future (pacman4). I know that he's planning to
> enable relro and PIE, but not -z,now iirc.
>
> dave

It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned the
other one is just hardening stuff and it is not necessary at this time. I will
prepare an update later today.

Thanks for reporting this.

Stéphane

Stéphane Gaudreault 07-28-2011 04:06 PM

Buggy krb5-config script
 
Le 28 juillet 2011 11:17:48 Stéphane Gaudreault a écrit :
> Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
> > On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> > > This morning when Ionut was trying to update gtk3, he noticed that
> > > the
> > > CUPS print backend would pull in libgcrypt, which is no longer
> > > needed,
> > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> > > quickly resolved with a short patch from Fedora.
> > >
> > > After fixing CUPS, we found out that CUPS would pull in a lot of
> > > other
> > > libraries and weird CFLAGS in the cups-config output:
> > >
> > > $ cups-config --libs
> > > -lcups -march=x86-64 -mtune=generic -O2 -pipe
> > > -I/usr/include/dbus-1.0
> > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
> > >
> > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> > > flags don't come from CUPS, but from krb5:
> > >
> > > CFLAGS=test krb5-config --libs
> > > $ CFLAGS=test krb5-config --libs
> > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto
> > > -lcom_err
> > > -lkeyutils -lresolv -ldl
> > >
> > > So it turns out krb5-config is plain wrong here. Fedora has a patch
> > > for
> > > this:
> > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1
> > > -bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd 339a3;hb=HEAD
> > >
> > > Another quite useful patch would be this:
> > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-n
> > > odep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c14 94e;hb=HEAD
> > >
> > > I'm not sure about the whole library fixup things they're doing in
> > > the
> > > first patch, but most important will be the first section of the
> > > part
> > > that is applied to krb5-config.in.
> > >
> > > OK to apply this? As krb5 is a dependency of quite some packages,
> > > this
> > > would reduce lots of unneeded libs those packages.
> >
> > The second patch makes sense to me -- if we don't fix this, we'll have
> > to add all these useless deps to the packaging. The first patch mostly
> > just looks like standard hardening that Fedora does. I wouldn't be
> > opposed to this, pending Allan's input since we're looking at a global
> > rebuild in the near future (pacman4). I know that he's planning to
> > enable relro and PIE, but not -z,now iirc.
> >
> > dave
>
> It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned
> the other one is just hardening stuff and it is not necessary at this time.
> I will prepare an update later today.
>
> Thanks for reporting this.
>
> Stéphane

Patched krb5 gives

# krb5-config --libs
-Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err

instead of

# krb5-config --libs
-Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl

If it is what we want, then I will upload the pkg into testing.

Stéphane

Jan de Groot 07-28-2011 05:22 PM

Buggy krb5-config script
 
On Thu, 2011-07-28 at 12:06 -0400, Stéphane Gaudreault wrote:
>
> > It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned
> > the other one is just hardening stuff and it is not necessary at this time.
> > I will prepare an update later today.
> >
> > Thanks for reporting this.
> >
> > Stéphane
>
> Patched krb5 gives
>
> # krb5-config --libs
> -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err
>
> instead of
>
> # krb5-config --libs
> -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl
>
> If it is what we want, then I will upload the pkg into testing.

That's better already, but what about this:
$ CFLAGS=test krb5-config --libs

I guess that will prepend "test" in front of your output.
The first patch fixes two things: hardening the libraries and fixing the
CFLAGS issues. The CFLAGS issue is fixed on line 36-37 of the patch, so
if you don't want the hardening, you should apply that part of the
patch.


All times are GMT. The time now is 11:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.