#14979 closed enhancement (worksforme)
Rust shared libraries may be ineffective
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
When we build rustc with system llvm, we have
# When using system llvm prefer shared libraries link-shared = true
but a look at the standard library in BLFS-10.1 shows that it is called '/opt/rustc/lib/libstd-48d374b27c3276a7.so' and using ldd on programs which used rust suggests that none of them link to this, i.e. the required items are pulled in during the build.
That means that when CVE vulnerabilities are raised against the rust stdlib, upgrading rust to a fixed version is insufficient, all the packages which use rust may need to be rebuilt to be sure they do not pull in the old code.
This might also mean that using system llvm brings few benefits.
Change History (5)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 3 comment:2 by , 4 years ago
follow-up: 4 comment:3 by , 4 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | assigned → closed |
Replying to Xi Ruoyao:
Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.
Yes, for BLFS I think you are right. I've just killed seamonkey, hid /opt/rustc/lib/libstd-48d374b27c3276a7.so and started seamonkey - able to restore previous session and use it. In the past I've switchd between our current rustc and a newer version to build the latest firefox beta (not needed to do that recently): firefox-esr and cbindgen, both built against the older rust, continued to work.
Fedora say that everything built against a vulnerable version of rust needs to be rebuilt, but for the few packages in BLFS I don't think that is necessary.
I think the reason using system LLVM is just "building LLVM twice is stupid".
Yes.
I now think that the shared rust libs save build space and are worth using.
comment:4 by , 4 years ago
Replying to ken@…:
Replying to Xi Ruoyao:
Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.
Yes, for BLFS I think you are right. I've just killed seamonkey, hid /opt/rustc/lib/libstd-48d374b27c3276a7.so and started seamonkey - able to restore previous session and use it. In the past I've switchd between our current rustc and a newer version to build the latest firefox beta (not needed to do that recently): firefox-esr and cbindgen, both built against the older rust, continued to work.
Fedora say that everything built against a vulnerable version of rust needs to be rebuilt, but for the few packages in BLFS I don't think that is necessary.
I don't think it's necessary too. This bug with CVE is triggered if panic() is used in something's drop() method. But if a library (librsvg and libmozjs) or a web browser (firefox) invokes panic() in its normal operation, this is already a bug in the library/browser code anyway.
Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.
I think the reason using system LLVM is just "building LLVM twice is stupid".