[arch-dev-public] Buggy krb5-config script

Stéphane Gaudreault stephane at archlinux.org
Thu Jul 28 12:06:10 EDT 2011


Le 28 juillet 2011 11:17:48 Stéphane Gaudreault a écrit :
> Le 28 juillet 2011 08:53:23 Dave Reisner a écrit :
> > On Thu, Jul 28, 2011 at 02:26:28PM +0200, Jan de Groot wrote:
> > > This morning when Ionut was trying to update gtk3, he noticed that
> > > the
> > > CUPS print backend would pull in libgcrypt, which is no longer
> > > needed,
> > > as GnuTLS depends on nettle now instead of libgcrypt. This bug was
> > > quickly resolved with a short patch from Fedora.
> > > 
> > > After fixing CUPS, we found out that CUPS would pull in a lot of
> > > other
> > > libraries and weird CFLAGS in the cups-config output:
> > > 
> > > $ cups-config --libs
> > > -lcups -march=x86-64 -mtune=generic -O2 -pipe
> > > -I/usr/include/dbus-1.0
> > > -I/usr/lib/dbus-1.0/include -DDBUS_API_SUBJECT_TO_CHANGE
> > > -Wl,--hash-style=gnu -Wl,--as-needed -lgssapi_krb5 -lkrb5 -lk5crypto
> > > -lcom_err -lkeyutils -lresolv -ldl -lz -lm -lcrypt
> > > 
> > > Notice the weird CFLAGS that are copied into the LDFLAGS now. These
> > > flags don't come from CUPS, but from krb5:
> > > 
> > > CFLAGS=test krb5-config --libs
> > > $ CFLAGS=test krb5-config --libs
> > > test -Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto
> > > -lcom_err
> > > -lkeyutils -lresolv -ldl
> > > 
> > > So it turns out krb5-config is plain wrong here. Fedora has a patch
> > > for
> > > this:
> > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.9.1
> > > -bui ldconf.patch;h=85173cf833ab030f4ce787d01b1f5137fcd339a3;hb=HEAD
> > > 
> > > Another quite useful patch would be this:
> > > http://pkgs.fedoraproject.org/gitweb/?p=krb5.git;a=blob;f=krb5-1.7-n
> > > odep libs.patch;h=e7f7c6834bb4273fdcca4b879dcb232596c1494e;hb=HEAD
> > > 
> > > I'm not sure about the whole library fixup things they're doing in
> > > the
> > > first patch, but most important will be the first section of the
> > > part
> > > that is applied to krb5-config.in.
> > > 
> > > OK to apply this? As krb5 is a dependency of quite some packages,
> > > this
> > > would reduce lots of unneeded libs those packages.
> > 
> > The second patch makes sense to me -- if we don't fix this, we'll have
> > to add all these useless deps to the packaging. The first patch mostly
> > just looks like standard hardening that Fedora does. I wouldn't be
> > opposed to this, pending Allan's input since we're looking at a global
> > rebuild in the near future (pacman4). I know that he's planning to
> > enable relro and PIE, but not -z,now iirc.
> > 
> > dave
> 
> It is ok for me to apply the krb5-1.7-nodeplibs patch. As Dave mentionned
> the other one is just hardening stuff and it is not necessary at this time.
> I will prepare an update later today.
> 
> Thanks for reporting this.
> 
> Stéphane

Patched krb5 gives

# krb5-config --libs
-Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err

instead of 

# krb5-config --libs
-Wl,--hash-style=gnu -Wl,--as-needed -lkrb5 -lk5crypto -lcom_err -lkeyutils -lresolv -ldl

If it is what we want, then I will upload the pkg into testing.

Stéphane




More information about the arch-dev-public mailing list