Bug 1809656
| Summary: | annocheck failure in rpmdiff - golang | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Liora Milbaum <lmilbaum> |
| Component: | annobin | Assignee: | Nick Clifton <nickc> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | qe-baseos-tools-bugs |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | dcantrell, fweimer, jbair, law, mcermak, nickc, sgott |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-16 16:09:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Liora Milbaum
2020-03-03 16:01:46 UTC
Hi Liora,
> At this point, either the virtctl program needs adjusted to pass the annocheck test, or a bug needs filed against annocheck to fix
> whatever is causing annocheck to not properly flag virtctl as a go binary.
Ideally both of these things need to happen. Annocheck is issuing two FAIL
results:
Hardened: /usr/bin/virtctl: FAIL: Build notes were not found for this executable.
Hardened: /usr/bin/virtctl: FAIL: Entry point instruction is not ENDBR64.
The first is a bug in annocheck - it should not expect to find annobin notes in
a compiled GO binary. The second is really a problem with the GO compiler. It
really should support the generation of the ENDBR64 instruction which is a part
of Intel's Control flow Enforcement Technology - a security feature designed to
help prevent attackers from using the binary for nefarious purposes.
I have a local patch to annocheck which fixes the first problem, and changes
the second FAIL result to a SKIP - on the grounds that the GO compiler is unlikely
to be fixed any time soon. Since this is not an urgent problem however I am
going to hold off committing the patch until 8.3.0. If you would like to try
out the fixed annocheck however you can do so by getting the latest version
of annobin from Fedora rawhide (annobin-9.12-1.fc33)
Cheers
Nick
Thanks Nick for your quick response. Do you have ETA on when rpmdiff tests will be using the annobin with your fixes? Hi Liora,
> Do you have ETA on when rpmdiff tests
> will be using the annobin with your fixes?
Hmm, good question. The short answer is "no". Rpmdiff normally gets its
binaries from the epel7 branch of Fedora, but the annobin there was updated
to 8.90 last November, and it does not appear to have made it into their
work environment. I will update epel7 again and then see if I can prod
QE into updating their environment.
Cheers
Nick
Thanks again. Please update when you have more information on this. Hi Liora,
> Thanks again. Please update when you have more information on this.
I *think* that the updated annocheck should now be installed on the machines used by rpmdiff.
Cheers
Nick
Nick, Thanks for the update. Let us check that it solved our issue. Liora (In reply to Liora Milbaum from comment #7) Hi Liora, > You can find more information in the following link: > https://issues.redhat.com/browse/KNIECO- > 1724?focusedCommentId=13996922&page=com.atlassian.jira.plugin.system. > issuetabpanels:comment-tabpanel#comment-13996922 Sorry - that gives me: "You can't view this issue It may have been deleted or you don't have permission to view it." Can you summarise what is wrong ? (And confirm that a new version of annocheck is being used) Cheers Nick Hi Liora,
> "You can't view this issue
> It may have been deleted or you don't have permission to view it."
Ah - my JIRA account was not linked to me Red Hat account. This is now fixed and I can see the issue.
I think that the problem might be a timing issue. The rpmdiff results linked to by Stuart was run
on 2020-03-07 but the update to the new version of annobin happened on 2020-03-10. (I think...).
When I check the rpms with annocheck locally they pass, so I think that if the builds were resubmitted
(or remade with a bumped NVR) then they will pass too.
Cheers
Nick
You can see the version of tools used by the rpmdiff job by clicking View Log. For this one: https://rpmdiff.engineering.redhat.com/run/433067/log/ You can see it used annobin-8.73-1.el7.x86_64. Since you need the newer annobin and that has been deployed to the rpmdiff workers, you can just reschedule that same rpmdiff job -or- do a new build and update the erratum and let it schedule a new rpmdiff job. (In reply to Liora Milbaum from comment #12) > FAILED - > https://rpmdiff.engineering.redhat.com/run/437374/ But the execshield test passed. :-) The FAIL is from the Upstream Source test, which I hope is completely unrelated to annocheck. Nick, You are correct :-) I have added the 'Rebase' key to the BZ ticket and rescheduled the test. The test is still failing. Is that something you can help me chaise, or, should I file another issue? You can close this issue as resolved. I will chaise the other issue in another stream. Thank you very much. Problem resolved. (In reply to Nick Clifton from comment #13) > (In reply to Liora Milbaum from comment #12) > > FAILED - > > https://rpmdiff.engineering.redhat.com/run/437374/ > > But the execshield test passed. :-) > > The FAIL is from the Upstream Source test, which I hope is completely > unrelated to annocheck. It is separate. The result from the test says: "Upstream version changed from 0.23.3 to 0.26.1 (not OK, because kubevirt is not on the version whitelist and no ET48744-linked bugs have the 'Rebase' keyword)" It's pretty straightforward. David, It is straightforward. I have a BZ ticket attached to the advisory with a 'Rebase' keyword. rpmdiff ignores it :-( The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |