Bug 1283307

Summary: icecat provides one library without stack protection
Product: [Fedora] Fedora Reporter: Antonio T. (sagitter) <anto.trande>
Component: icecatAssignee: Antonio T. (sagitter) <anto.trande>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: moez.roy
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: icecat-38.4.0-3.fc22 icecat-38.4.0-3.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-22 07:23:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1199775    

Description Antonio T. (sagitter) 2015-11-18 16:41:29 UTC 
Description of problem:
icecat has been rebuilt with all flags for "hardened build".

/usr/lib64/icecat-%version/libmozalloc.so
/usr/lib/icecat-%version/libmozalloc.so

are without stack protection:

# checksec --dir /usr/lib64/icecat-38.4.0
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat-bin
Full RELRO      No canary found   NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libmozalloc.so
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libxul.so
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/plugin-container
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/updater
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/webapprt-stub


Expected results:
All libraries should provide a 'Canary stack'.
Comment 1 Moez Roy 2015-12-08 21:47:59 UTC 
What happens when it is compiled with --fstack-protector-all instead of --fstack-protector-strong? Do you get a canary?
Comment 2 Antonio T. (sagitter) 2015-12-10 10:25:39 UTC 
(In reply to Moez Roy from comment #1)
> What happens when it is compiled with --fstack-protector-all instead of
> --fstack-protector-strong? Do you get a canary?

'-fstack-protector-all' seems activate 'canary' in libmozalloc.so: https://koji.fedoraproject.org/koji/taskinfo?taskID=12130939
Comment 3 Fedora Update System 2015-12-12 11:52:35 UTC 
icecat-38.4.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba
Comment 4 Fedora Update System 2015-12-12 11:52:35 UTC 
icecat-38.4.0-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567
Comment 5 Fedora Update System 2015-12-13 05:54:09 UTC 
icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567
Comment 6 Fedora Update System 2015-12-13 17:22:09 UTC 
icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba
Comment 7 Fedora Update System 2015-12-22 07:23:05 UTC 
icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-12-22 22:05:03 UTC 
icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.