| Summary: | Harden tmux package, build tmux as PIE | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dhiru Kholia <dhiru> | ||||
| Component: | tmux | Assignee: | Sven Lankes <sven> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | dcantrell, praiskup, rosset.filipe, ruben, strobert, sven | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-06-10 01:56:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Dhiru Kholia
2016-04-05 14:09:05 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. This patch shouldn't be needed, the settings you add to CFLAGS are the defaults nowadays.
The real reason why the tmux executable is not build as PIE is this line:
make %{?_smp_mflags} LDFLAGS="%{optflags}".
For hardened builds, the %build step sets this in the environment:
+ LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
+ export LDFLAGS
but the make step is executed like this:
+ make -j2 'LDFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
Note the specs= part, which contains settings for the compiler, not the linker.
So the real fix is simple, as below:
diff --git a/tmux.spec b/tmux.spec
index a1a9cca..449d1d5 100644
--- a/tmux.spec
+++ b/tmux.spec
@@ -28,7 +28,7 @@ as GNU Screen.
%build
%configure
-make %{?_smp_mflags} LDFLAGS="%{optflags}"
+make %{?_smp_mflags}
$ checksec --file /usr/bin/tmux
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 9 17 /usr/bin/tmux
$ ./scanner.py ~/pkgs/tmux/results_tmux/2.4/1.fc27/tmux-2.4-1.fc27.x86_64.rpm
Analyzing /home/ruben/pkgs/tmux/results_tmux/2.4/1.fc27/tmux-2.4-1.fc27.x86_64.rpm ...
tmux,tmux-2.4-1.fc27.x86_64.rpm,/usr/bin/tmux,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Enabled,PIE=Enabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Partial$readlink$memset$getcwd$read$memcpy$memmove$wctomb$gethostname,CATEGORY=network-local,TEMPPATHS=None,DEPS=libutil.so.1$libtinfo.so.6$libevent-2.0.so.5$libresolv.so.2$libc.so.6
http://pkgs.fedoraproject.org/cgit/rpms/tmux.git/commit/?id=c946af041210575b5eda5ab39708ef5aa5c78eb9 Filipe, did you read my comment? If you don't have time I am happy to apply my patch myself. |