NetBSD Problem Report #58841

From www@netbsd.org  Thu Nov 21 23:02:37 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id E6E9B1A9238
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 21 Nov 2024 23:02:36 +0000 (UTC)
Message-Id: <20241121230235.C18461A923E@mollari.NetBSD.org>
Date: Thu, 21 Nov 2024 23:02:35 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: liblzma leaks private symbols
X-Send-Pr-Version: www-1.0

>Number:         58841
>Category:       lib
>Synopsis:       liblzma leaks private symbols
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 21 23:05:00 +0000 2024
>Last-Modified:  Fri Nov 22 16:10:03 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetBXZ Foundasymbol
>Environment:
>Description:
Upstream builds liblzma.so with -fvisibility=hidden but we don't, so various library-internal symbols -- named lzma_* to avoid namespace collisions -- are exported when they probably shouldn't be, like lzma_rc_prices.
>How-To-Repeat:
nm, code inspection
>Fix:
use -fvisibility=hidden, update expected symbols list, bump major

>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58841 CVS commit: src/external/public-domain/xz/lib
Date: Fri, 22 Nov 2024 16:07:10 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Fri Nov 22 16:07:10 UTC 2024

 Modified Files:
 	src/external/public-domain/xz/lib: Makefile lzma.expsym

 Log Message:
 liblzma: Build with -fvisibility=hidden like upstream.

 Intentional exports are marked upstream with
 __attribute__((__visibility__("default"))).

 This has the effect of deleting symbols, but I'm not bumping the
 major right now, and I am considering pullup, because none of the
 deleted symbols has ever been declared in the public .h files, so
 these symbols can only be used by either (a) reaching into places
 applications shouldn't, or (b) accidental namespace collisions.

 PR lib/58841: liblzma leaks private symbols

 Should fix big-endian builds after recent changes for:

 PR lib/58838: shared libraries in base should all have expsym lists


 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.12 src/external/public-domain/xz/lib/Makefile
 cvs rdiff -u -r1.1 -r1.2 src/external/public-domain/xz/lib/lzma.expsym

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.