NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lib/57227: 2023 audit of mistakenly obsoleted shared libraries
>Number: 57227
>Category: lib
>Synopsis: 2023 audit of mistakenly obsoleted shared libraries
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 13 11:35:00 +0000 2023
>Originator: Taylor R Campbell
>Release: 8, 9, 10, current
>Organization:
The NetBSD Foundobsoletion
>Environment:
raising the sea level
>Description:
From src/distrib/sets/lists/base/shl.mi:
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
#
# Note: Do not mark "old" major and major.minor shared libraries as
# "obsolete"; just remove the entry, as third-party applications
# may be linked against the old major shared library, and
# that is a symlink to the old major.minor shared library.
# e.g., "lib<name>.so.<N>" and "lib<name>.so.<N>.<M>"
# Exceptions to this rule may include shared libraries that
# are dlopen()ed at run-time, such as extra locales, etc.
There are a number of shared libraries marked obsolete in the set lists, which leads them to be deleted by postinstall.
Some of these libraries are correctly marked obsolete because they are strictly internal, e.g. libbfd, used by other NetBSD base binaries and libraries but not exposed to ld(1) for linking new programs.
Some of these libraries, however, have been exposed to ld(1) and must not be deleted because they may still be referenced by, e.g., pkgsrc-installed binaries and libraries. For example, I suspect libblacklist.so may fall in this category (renamed libblocklist.so), as well as . These entries should be deleted from the set lists, not marked obsolete -- that way postinstall will leave them alone.
And some libraries that _should_ be internal are mistakenly exposed. For example, I think libgomp is supposed to be gcc-internal, but we install a /usr/lib/libgomp.so symlink so ld(1) will pick it up.
We need to go through all of the set list entries for linkable shared libraries (excluding loadable modules for dlopen like radeon_dri.so, and perhaps rump modules for use with rump_server and rump_allserver) and:
1. Delete the dangerous obsolete lib*.so.* entries.
2. Consider obsoleting the lib*.so symlinks for libraries that should be internal. It should be safe for postinstall to effect the obsoletion by deleting these because they are used by ld(1) when linking binaries and libraries, not by ld.so(1) when loading them.
Finally, we should add a note about this distinction (internal libraries vs libraries with exposed lib*.so symlinks) to the shl.* set lists, and perhaps comment entries out instead of deleting them to make the history clearer.
>How-To-Repeat:
Run postinstall on a system with pkgsrc packages that were linked against libraries which have been obsoleted, like libblacklist.so.0.0.
>Fix:
Yes please!
Home |
Main Index |
Thread Index |
Old Index