-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build path leaking into various files shipped in the frida packages #3
Comments
CyrilBrulebois
added a commit
to PiRogueToolSuite/debian-12
that referenced
this issue
Aug 10, 2024
Automatically packaged by deb-frido, after detecting and fixing the critical issue regarding the installation path for two files (frida-core-1.0.deps and frida-core-1.0.vapi). The issue regarding the build path's leaking into the built binary packages remains, but t isn't a regression in this upstream series. Link: PiRogueToolSuite/deb-frida#3
CyrilBrulebois
added a commit
that referenced
this issue
Aug 13, 2024
By default a sourceRoot property is embedded in various files, referencing the full path to the top-level build directory: $ grep $(pwd) -rl debian/frida debian/frida/usr/lib/x86_64-linux-gnu/libfrida-core-1.0.a debian/frida/usr/lib/python3/dist-packages/frida/_frida.abi3.so debian/frida/usr/lib/python3/dist-packages/frida_tools/fs_agent.js debian/frida/usr/lib/python3/dist-packages/frida_tools/itracer_agent.js Link: #3
That patch seems to do the trick for both JS files, as well as for the static library and the Python module. @U039b: The question is whether to redo e.g. the whole 16.4.* series of builds with it, or if wait until after 16.4.8 has been tested/integrated as it is, and only do that for further builds? I've just verified the patch still applies cleanly to 16.4.8 and does its job there as well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Spotted while working on automating Frida builds for the 16.4.* series:
/home/kibi/deb-frida/…
), namelyfrida-core-1.0.deps
andfrida-core-1.0.vapi
. Fixing the build system didn't seem easy so I went for a workaround: fixing location and one reference (from a.pc
file) afterdh_auto_install
.This issue is about that second topic: it seems one Node package is used to bundle a lot of things together, optionally including a
sourceRoot
setting in there. It would be best to turn that off if at all possible, but it seems likely that we're only leaking the “we built this package under that directory” information (possibly making reproducible builds harder, but remember an SDK+toolchain download are already in the picture).After a successful build, the list of files can be built this way:
Amusingly, the static library and dynamic library (the Python module) embed the same kind of payload as can be seen in Javascript files…
The text was updated successfully, but these errors were encountered: