Bug 2040479

Summary: busybox binary isn't a hardened build
Product: [Fedora] Fedora Reporter: Seirdy <fedora>
Component: busyboxAssignee: Tom "spot" Callaway <spotrh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: admiller, dvlasenk, spotrh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-25 17:58:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seirdy 2022-01-13 19:03:54 UTC 
Description of problem:

The busybox binary lacks hardening measures: no RELRO, no stack canaries, not position-independent.

Version-Release number of selected component (if applicable):

1.34.1, 1.35.0

How reproducible: always


Steps to Reproduce:
1. Install busybox and checksec
2. Run checksec --file=/usr/sbin/busybox

Actual results:

	RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
	No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols        No    0               0               /usr/sbin/busybox


Expected results:

	RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
	Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols        No    0               4               /usr/bin/clang-13

Additional info:

For reference, Alpine Linux's busybox package does have hardening measures such as PIE and partial RELRO. Its package uses the more common musl libc rather than uClibc.

Void Linux's musl edition is similar.
Comment 1 Ben Cotton 2022-02-08 21:12:02 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.
Comment 2 Tom "spot" Callaway 2022-03-10 16:39:44 UTC 
Checksec does not return useful data against static binaries, only shared ones. That said, there are some hardening measures that could be applied to the static binary. The first (and bigger) challenge is that the static binary doesn't actually work right now, it just segfaults and I need to figure out why.
Comment 3 Tom "spot" Callaway 2022-03-25 17:58:57 UTC 
hardening flags now applied in rawhide.