Bug 1147283

Summary: [patch attached] Build bash with PIE enabled
Product: [Fedora] Fedora Reporter: Elad Alfassa <elad>
Component: bashAssignee: Ondrej Oprala <ooprala>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: admiller, daw-redhatbugzilla, fweimer, ooprala, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-23 15:56:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Enable PIE (hardened build) none

Description Elad Alfassa 2014-09-28 21:37:28 UTC 
Created attachment 942034 [details]
Enable PIE (hardened build)

If possible, please accept this patch to enable PIE when compiling bash, see
https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
for more info.

Bash is long running (as root too), and can accept input from untrusted sources as we saw in the last few weeks - this answers three of the listed criterias for enabling PIE.

Enabling PIE on bash would probably make us a tiny bit safer.
If there's no reason *not* to enable PIE, patch is attached :)
Comment 1 Elad Alfassa 2014-09-30 07:52:19 UTC 
My rational for enabling this (apart from the criteria in the guidelines) is basically http://lcamtuf.blogspot.co.il/2014/09/bash-bug-apply-unofficial-patch-now.html (which is CVE-2014-6277).

While we're probably safe from that (according to https://access.redhat.com/security/cve/CVE-2014-6277), there's still a possibility that more unknown bugs exists in bash with a similar effect. Enabling PIE is obviously not a magic solution for all vulnerabilities, but it might make us a bit safer (and make a potential attacker's life harder) against a certain class of them.

I don't see a reason not to enable PIE on bash, I've been running with it since Sunday with no visible side-effects.
Comment 2 D. Wagner 2014-10-02 22:20:58 UTC 
This seems like a sensible hardening defense.  If performance on i686 is problematic, a possible intermediate step is to enable it on x86_64 only.


Information on how to reproduce and confirm that the issue is fixed:

Steps to Reproduce:
1. yum install checksec
2. checksec --file /usr/bin/bash

Actual results:

$ checksec --file /usr/bin/bash
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/bash

Expected results:

PIE should be enabled.  Full RELRO should be present.


Additional info:

For more resources and discussion of PIE in general, see:

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html
Comment 3 Ondrej Oprala 2015-01-23 15:56:07 UTC 
Hi, I'm sorry for my MASSIVE response time. I've applied your patch Elad, bash should build with PIE from F22 onwards.