commit: 65423dc00cf49422061d3d6ee4ca2143bd3ca1b1 Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> AuthorDate: Sat Nov 21 12:04:16 2020 +0000 Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> CommitDate: Sat Nov 21 12:04:16 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65423dc0
profiles/base: Restore bundled-libjpeg-turbo USE mask for net-im/zoom. The libturbojpeg.so bundled with >=zoom-5.3 has an empty DT_RPATH (see output of "readelf -d" or "scanelf -r"). This is insecure because the loader will search the working directory when it finds an empty path. Bug: https://bugs.gentoo.org/715106 Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org> profiles/base/package.use.mask | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/profiles/base/package.use.mask b/profiles/base/package.use.mask index 8c38a335cfc..333877fee6f 100644 --- a/profiles/base/package.use.mask +++ b/profiles/base/package.use.mask @@ -116,6 +116,14 @@ dev-util/meson test # Requires dev-vcs/ghp-import that is masked for removal. www-apps/nikola ghpages +# Ulrich Müller <u...@gentoo.org> (2020-04-08, 2020-11-21) +# Old versions of libjpeg-turbo have known security issues. +# The version included with >=zoom-5.3 has an empty DT_RPATH, +# which is insecure because the loader will search the working +# directory when it finds an empty path. +# Use the bundled lib on your own risk. Bug #715106. +net-im/zoom bundled-libjpeg-turbo + # Alfredo Tupone <tup...@gentoo.org> (2020-04-04) # Ada support is not yet ready for sys-deve/gcc sys-devel/gcc ada
