Bug 1954049

Summary:	[34 Regression] libgcrypt-1.9.2-2.fc34.x86_64 lost CET protection
Product:	[Fedora] Fedora	Reporter:	H.J. Lu <hongjiu.lu>
Component:	libgcrypt	Assignee:	Jakub Jelen <jjelen>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	34	CC:	codonell, crypto-team, fweimer, jjelen, tm
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	libgcrypt-1.9.3-2.fc34	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1954422 (view as bug list)		Environment:
Last Closed:	2021-05-03 02:05:36 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1954422

Description H.J. Lu 2021-04-27 13:57:25 UTC

[root@gnu-tgl-1 hjl]# rpm -qf /lib64/libgcrypt.so.20     
libgcrypt-1.9.2-2.fc34.x86_64
[root@gnu-tgl-1 hjl]# readelf -n /lib64/libgcrypt.so.20 | grep feature
[root@gnu-tgl-1 hjl]# 

[hjl@gnu-efi-2 ~]$ rpm -qf /lib64/libgcrypt.so.20    
libgcrypt-1.8.7-1.fc33.x86_64
[hjl@gnu-efi-2 ~]$ readelf -n /lib64/libgcrypt.so.20 | grep feature 
	x86 feature: IBT, SHSTK
[hjl@gnu-efi-2 ~]$

Comment 1 Jakub Jelen 2021-04-27 14:11:24 UTC

Hi, do you have some hints where do these come from (compiler flags, configuration?)?

Does it work with new 1.9.3 version?

https://bodhi.fedoraproject.org/updates/FEDORA-2021-54a91de592

Comment 2 Jakub Jelen 2021-04-27 14:31:22 UTC

ok, the version 1.9.3 is not any better:

[root@fedora34 ~]# readelf -n /lib64/libgcrypt.so.20 | grep feature

Probably this?

https://src.fedoraproject.org/rpms/libgcrypt/c/8c18517a2519c8acbf705612db701c063990ff59

I read it as it is available in master already. Unfortunately, there is no better reference. Let me check.

Comment 3 H.J. Lu 2021-04-27 14:41:14 UTC

Let me take a look to fix it.

Comment 4 H.J. Lu 2021-04-27 16:52:41 UTC

This patch:

https://gitlab.com/cet-software/libgcrypt/-/commit/b04c0a86b19856071c29d2a6285f3240c606ee7a

should work.

Comment 5 Jakub Jelen 2021-04-27 18:39:31 UTC

Thank you. I verified that the local build has the expected flags.

Did you submit the patch upstream already or should I do that?

Comment 6 H.J. Lu 2021-04-27 19:47:35 UTC

(In reply to Jakub Jelen from comment #5)
> Thank you. I verified that the local build has the expected flags.
> 
> Did you submit the patch upstream already or should I do that?

https://lists.gnupg.org/pipermail/gcrypt-devel/2021-April/005147.html

Comment 7 Fedora Update System 2021-04-28 08:12:30 UTC

FEDORA-2021-46873b3b46 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-46873b3b46

Comment 8 Fedora Update System 2021-04-29 01:03:54 UTC

FEDORA-2021-46873b3b46 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-46873b3b46`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-46873b3b46

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-05-03 02:05:36 UTC

FEDORA-2021-46873b3b46 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.