Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#14979 closed enhancement (worksforme)

Rust shared libraries may be ineffective

Reported by: ken@… Owned by: ken@…
Priority: normal Milestone: 10.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

When we build rustc with system llvm, we have

# When using system llvm prefer shared libraries
link-shared = true

but a look at the standard library in BLFS-10.1 shows that it is called '/opt/rustc/lib/libstd-48d374b27c3276a7.so' and using ldd on programs which used rust suggests that none of them link to this, i.e. the required items are pulled in during the build.

That means that when CVE vulnerabilities are raised against the rust stdlib, upgrading rust to a fixed version is insufficient, all the packages which use rust may need to be rebuilt to be sure they do not pull in the old code.

This might also mean that using system llvm brings few benefits.

Change History (4)

comment:1 by ken@…, 3 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by Xi Ruoyao, 3 months ago

Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.

I think the reason using system LLVM is just "building LLVM twice is stupid".

in reply to:  2 ; comment:3 by ken@…, 3 months ago

Resolution: worksforme
Status: assignedclosed

Replying to Xi Ruoyao:

Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.

Yes, for BLFS I think you are right. I've just killed seamonkey, hid /opt/rustc/lib/libstd-48d374b27c3276a7.so and started seamonkey - able to restore previous session and use it. In the past I've switchd between our current rustc and a newer version to build the latest firefox beta (not needed to do that recently): firefox-esr and cbindgen, both built against the older rust, continued to work.

Fedora say that everything built against a vulnerable version of rust needs to be rebuilt, but for the few packages in BLFS I don't think that is necessary.

I think the reason using system LLVM is just "building LLVM twice is stupid".

Yes.

I now think that the shared rust libs save build space and are worth using.

in reply to:  3 comment:4 by Xi Ruoyao, 3 months ago

Replying to ken@…:

Replying to Xi Ruoyao:

Only rustc itself links to libLLVM.so. The programs compiled by rustc (generally) don't use LLVM.

Yes, for BLFS I think you are right. I've just killed seamonkey, hid /opt/rustc/lib/libstd-48d374b27c3276a7.so and started seamonkey - able to restore previous session and use it. In the past I've switchd between our current rustc and a newer version to build the latest firefox beta (not needed to do that recently): firefox-esr and cbindgen, both built against the older rust, continued to work.

Fedora say that everything built against a vulnerable version of rust needs to be rebuilt, but for the few packages in BLFS I don't think that is necessary.

I don't think it's necessary too. This bug with CVE is triggered if panic() is used in something's drop() method. But if a library (librsvg and libmozjs) or a web browser (firefox) invokes panic() in its normal operation, this is already a bug in the library/browser code anyway.

Note: See TracTickets for help on using tickets.