I ran a script to run lddtree -vx on all the binaries in an amd64-generic ToT CrOS image and have included the set of unique values for runpath below. Note that u'' is not listed so we shouldn't be directly affected by this issue.

  ldpaths[runpath] = []
  ldpaths[runpath] = [u'/tmp/m/opt/google/chrome']
  ldpaths[runpath] = [u'/tmp/m/usr/bin/lib']
  ldpaths[runpath] = [u'/tmp/m/usr/sbin/lib']
  ldpaths[runpath] = [u'/usr/lib64']
  ldpaths[runpath] = [u'/usr/lib64/binutils/x86_64-cros-linux-gnu/2.27.0']
  ldpaths[runpath] = [u'/usr/lib64/elfutils']
  ldpaths[runpath] = [u'/usr/lib64/ipsec']
  ldpaths[runpath] = [u'/usr/lib64/ldb', u'/usr/lib64']
  ldpaths[runpath] = [u'/usr/lib64/perl5/5.24.0/x86_64-linux/CORE']
  ldpaths[runpath] = [u'/usr/lib64/samba']
  ldpaths[runpath] = [u'/usr/lib64/samba', u'/usr/lib64']
  ldpaths[runpath] = [u'/usr/lib64/tevent', u'/usr/lib64']
  ldpaths[runpath] = [u'/usr/libexec/sudo']

yeah i don't think this has an impact on us.  CL is up here:
  https://chromium-review.googlesource.com/854769

Lakitu has two binaries which has rpath set to $ORIGIN
/usr/lib64/gconv/UHC.so and  /usr/lib64/gconv/JOHAB.so

Fortunately lakitu has two setuid binaries:
/usr/bin/sudo and /usr/libexec/dbus-daemon-launch-helper both of which are not linked with gconv libraries. 

If my understanding is correct, bug only impacts for binaries which have setuid bit set and RPATH set to $ORIGIN.

Based on above, I think there is no need for backporting the changes to stable* branches. Only updating head should suffice.

yunlian@, is 800007 fixed and if so, is this fixed as well based on https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/854769?

I'd like to clean up the security bug queue.

Yes, it is fixed based on that CL.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot