sof icon indicating copy to clipboard operation
sof copied to clipboard
verified publisher icon thesofproject

v2025.05: sof-ctl introduces Security problem NULL DT_RUNPATH

Open pacho2 opened this issue 7 months ago • 8 comments

Hello,

While trying to package the last version of SOF firmware for Gentoo: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-firmware/sof-firmware

I noticed that, starting from this new 2025.05 version, we get this warning:

scanelf: rpath_security_checks(): Security problem NULL DT_RUNPATH in /var/tmp/portage/sys-firmware/sof-firmware-2025.05/image/usr/bin/sof-ctl

Something changed in the generated binary as compared to the previous binary provided in 2025.01.1 has no warning at all.

Thanks a lot for your help.

pacho2 avatar Jun 20 '25 15:06 pacho2

The SDK has been updated to build with a local ALSA git repo instead of ALSA release, looks like this can be fixed with a make deploy rule that builds sof-ctl with the system ALSA library OR we dont build sof-ctl with local ALSA.

lgirdwood avatar Jun 25 '25 16:06 lgirdwood

This should fix the issue, lets see it passes CI with current CI infra. https://github.com/thesofproject/sof/pull/10073

lgirdwood avatar Jun 27 '25 13:06 lgirdwood

@pacho2, also to note that the tools USE flag can be optional, these binaries are not needed for users, they are useful for developers or for debugging.

ujfalusi avatar Jul 04 '25 08:07 ujfalusi

@pacho2, also to note that the tools USE flag can be optional, these binaries are not needed for users, they are useful for developers or for debugging.

Yes, I am the downstream maintainer ;) ... but, following our QA policies, I would need to ignore those warnings forever. Sometimes we need to do that... but it is better if it can be fixed in another way :)

pacho2 avatar Jul 05 '25 08:07 pacho2

This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.

github-actions[bot] avatar Sep 04 '25 02:09 github-actions[bot]

It is still valid with the latest version. Thanks

pacho2 avatar Sep 11 '25 13:09 pacho2

This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time.

github-actions[bot] avatar Nov 15 '25 02:11 github-actions[bot]

It is still valid

pacho2 avatar Nov 22 '25 08:11 pacho2