Bug 2043000

Summary: cf-protection test is intentionally skipped on GO binaries but property-note test complains about cf-protection
Product: Red Hat Enterprise Linux 9 Reporter: Václav Kadlčík <vkadlcik>
Component: annobinAssignee: Nick Clifton <nickc>
Status: CLOSED ERRATA QA Contact: Václav Kadlčík <vkadlcik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fweimer, mcermak, nickc, vkadlcik
Target Milestone: rcKeywords: Bugfix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: annobin-10.50-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:33:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Václav Kadlčík 2022-01-20 13:07:02 UTC 
Description of problem:

Because of bz1997759 annocheck skips the cf-protection test.
However it now complains about it in the property-note test.


Version-Release number of selected component (if applicable):

annobin-annocheck-10.48-1.el9


Steps to Reproduce:

1. annocheck --ignore-unknown --verbose --debug-rpm=/mnt/redhat/brewroot/packages/weldr-client/35.2/2.el9/x86_64/weldr-client-debuginfo-35.2-2.el9.x86_64.rpm /mnt/redhat/brewroot/packages/weldr-client/35.2/2.el9/x86_64/weldr-client-35.2-2.el9.x86_64.rpm |& grep cf-protection


Actual results:

Hardened: ./usr/bin/composer-cli: skip: cf-protection test because control flow protection is not needed for GO binaries 
Hardened: ./usr/bin/composer-cli: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled


Expected results:

On GO binaries, where the cf-protection isn't expected be present
for now and the cf-protection test is intentionally skipped, the 
property-note test shouldn't fail just because of cf-protection.


Additional info:

It looks to me that 10.44 our last rpm build that worked fine,
we don't have a 10.45 build and then 10.46 broke it.
Comment 1 Nick Clifton 2022-01-24 12:47:07 UTC 
Fixed in annobin-10.50-1.el9.
Comment 2 Václav Kadlčík 2022-01-24 15:59:43 UTC 
pre-verified: annobin-10.50-1.el9
Comment 6 errata-xmlrpc 2022-05-17 12:33:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: annobin), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:2342