NetBSD Problem Report #57227

From www@netbsd.org  Mon Feb 13 11:34:31 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 9A7FC1A9239
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 13 Feb 2023 11:34:31 +0000 (UTC)
Message-Id: <20230213113430.367E71A923A@mollari.NetBSD.org>
Date: Mon, 13 Feb 2023 11:34:30 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: 2023 audit of mistakenly obsoleted shared libraries
X-Send-Pr-Version: www-1.0

>Number:         57227
>Category:       lib
>Synopsis:       2023 audit of mistakenly obsoleted shared libraries
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 13 11:35:00 +0000 2023
>Last-Modified:  Mon Feb 13 14:15:02 +0000 2023
>Originator:     Taylor R Campbell
>Release:        8, 9, 10, current
>Organization:
The NetBSD Foundobsoletion
>Environment:
raising the sea level
>Description:
From src/distrib/sets/lists/base/shl.mi:

# Note: Don't delete entries from here - mark them as "obsolete" instead,
#       unless otherwise stated below.
#
# Note: Do not mark "old" major and major.minor shared libraries as
#       "obsolete"; just remove the entry, as third-party applications
#       may be linked against the old major shared library, and
#       that is a symlink to the old major.minor shared library.
#       e.g., "lib<name>.so.<N>" and "lib<name>.so.<N>.<M>"
#       Exceptions to this rule may include shared libraries that
#       are dlopen()ed at run-time, such as extra locales, etc.

There are a number of shared libraries marked obsolete in the set lists, which leads them to be deleted by postinstall.

Some of these libraries are correctly marked obsolete because they are strictly internal, e.g. libbfd, used by other NetBSD base binaries and libraries but not exposed to ld(1) for linking new programs.

Some of these libraries, however, have been exposed to ld(1) and must not be deleted because they may still be referenced by, e.g., pkgsrc-installed binaries and libraries.  For example, I suspect libblacklist.so may fall in this category (renamed libblocklist.so), as well as .  These entries should be deleted from the set lists, not marked obsolete -- that way postinstall will leave them alone.

And some libraries that _should_ be internal are mistakenly exposed.  For example, I think libgomp is supposed to be gcc-internal, but we install a /usr/lib/libgomp.so symlink so ld(1) will pick it up.

We need to go through all of the set list entries for linkable shared libraries (excluding loadable modules for dlopen like radeon_dri.so, and perhaps rump modules for use with rump_server and rump_allserver) and:

1. Delete the dangerous obsolete lib*.so.* entries.
2. Consider obsoleting the lib*.so symlinks for libraries that should be internal.  It should be safe for postinstall to effect the obsoletion by deleting these because they are used by ld(1) when linking binaries and libraries, not by ld.so(1) when loading them.

Finally, we should add a note about this distinction (internal libraries vs libraries with exposed lib*.so symlinks) to the shl.* set lists, and perhaps comment entries out instead of deleting them to make the history clearer.
>How-To-Repeat:
Run postinstall on a system with pkgsrc packages that were linked against libraries which have been obsoleted, like libblacklist.so.0.0.
>Fix:
Yes please!

>Audit-Trail:
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@netbsd.org
Cc: lib-bug-people@netbsd.org, gnats-admin@netbsd.org,
	netbsd-bugs@netbsd.org
Subject: Re: lib/57227: 2023 audit of mistakenly obsoleted shared libraries
Date: Mon, 13 Feb 2023 15:10:34 +0100

 Am Mon, Feb 13, 2023 at 11:35:01AM +0000 schrieb campbell+netbsd@mumble.net:
 > For example, I think libgomp is supposed to be gcc-internal, but we install a /usr/lib/libgomp.so symlink so ld(1) will pick it up.

 libgomp is the OpenMP runtime, similar to libstdc++ being the C++ STL.

 Joerg

Home	PR Database Search