Bug 1281830

Summary: Harden all packages: deltarpm should ship position-independent executables
Product: [Fedora] Fedora Reporter: Christian Stadelmann <fedora>
Component: deltarpmAssignee: Jonathan Dieter <jonathan>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: jonathan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: deltarpm-3.6-13.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-17 11:57:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Stadelmann 2015-11-13 14:33:10 UTC 
Description of problem:
According to https://fedoraproject.org/wiki/Changes/Harden_All_Packages all binary executables should be position-independent. deltarpm doesn't do so:

$ checksec --file /usr/bin/applydeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/applydeltarpm

$ checksec --file /usr/bin/combinedeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/combinedeltarpm

$ checksec --file /usr/bin/makedeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/makedeltarpm

$ checksec --file /usr/bin/rpmdumpheader 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/rpmdumpheader

Version-Release number of selected component (if applicable):
deltarpm-3.6-11.fc23.x86_64
Comment 1 Fedora Update System 2015-11-14 20:53:16 UTC 
deltarpm-3.6-13.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0745c3f7a7
Comment 2 Fedora Update System 2015-11-15 05:25:17 UTC 
deltarpm-3.6-13.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update deltarpm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0745c3f7a7
Comment 3 Christian Stadelmann 2015-11-15 10:25:15 UTC 
The rpmdumpheader executable doesn't have stack canary enabled:

$ checksec --file /usr/bin/rpmdumpheader 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/rpmdumpheader

Is this intended?
Comment 4 Jonathan Dieter 2015-11-15 12:33:36 UTC 
Um, no.  Let me investigate.
Comment 5 Jonathan Dieter 2015-11-15 12:59:45 UTC 
Ok, I've investigated and we're doing exactly the same thing when generating rpmdumpheader as we are for all the other binaries.

According to http://stackoverflow.com/questions/24465014/gcc-generate-canary-or-not, gcc uses a heuristic when deciding whether or not to use a canary, and rpmdumpheader has one single function in it, main.  My guess is that rpmdumpheader doesn't fit into the heuristic, thus no stack canary is generated.

I'm not at all an expert when it comes to this, so feel free to correct me if I'm wrong.
Comment 6 Christian Stadelmann 2015-11-15 13:05:29 UTC 
I guess you are right about that. I'm no expert on it either.

Since rpmdumpheader has just a single function it might not have "enough stack" to make stack canary useful. Sorry for the noise.
Comment 7 Fedora Update System 2015-11-17 11:57:55 UTC 
deltarpm-3.6-13.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.