Bug 955147

Summary: lightdm package should be built with PIE flags
Product: [Fedora] Fedora Reporter: Dhiru Kholia <dkholia>
Component: lightdmAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bressers, christoph.wickert, dan.mashal, dcbw, dhiru, gregor, moez.roy, mtasaka, rdieter
Target Milestone: ---Keywords: FutureFeature, Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: lightdm-1.10.6-2.fc23 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-30 20:51:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 956868    
Bug Blocks: 1199775    

Description Dhiru Kholia 2013-04-22 13:27:29 UTC 
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently lightdm is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

lightdm-1.6.0-2.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py lightdm-1.6.0-2.fc19.x86_64.rpm
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/bin/dm-tool,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-guest-session-wrapper,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-set-defaults,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/sbin/lightdm,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
Comment 1 Dan Mashal 2013-04-22 15:11:09 UTC 
Tried building with "%global _hardened_build 1" in the spec:

Making all in doc
make[2]: Entering directory `/builddir/build/BUILD/lightdm-1.6.0/doc'
  DOC   Scanning header files
  DOC   Introspecting gobjects
gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'
compilation terminated.
Compilation of scanner failed: 

http://kojipkgs.fedoraproject.org//work/tasks/8232/5288232/build.log
Comment 2 Rex Dieter 2013-04-25 11:53:59 UTC 
Thanks to some prodding by halfie on irc,

[04/25/13 06:49] <halfie> rdieter, the build system of lightdm seems to be appending flags to existing flags?
[04/25/13 06:50] <rdieter> this line is the failure:  
[04/25/13 06:50] <rdieter> CC="$(GTKDOC_CC)" LD="$(GTKDOC_LD)" RUN="$(GTKDOC_RUN)" CFLAGS="$(GTKDOC_CFLAGS) $(CFLAGS)" LDFLAGS="$(GTKDOC_LIBS) $(LDFLAGS)" \
[04/25/13 06:50] <rdieter>             gtkdoc-scangobj $(SCANGOBJ_OPTIONS) $$scanobj_options --module=$(DOC_MODULE);
[04/25/13 06:51] <rdieter> yeah, looks like it
[04/25/13 06:51] <rdieter> GTKDOC_CC = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(INCLUDES) $(GTKDOC_DEPS_CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
[04/25/13 06:51] <rdieter> GTKDOC_LD = $(LIBTOOL) --tag=CC --mode=link $(CC) $(GTKDOC_DEPS_LIBS) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS)
[04/25/13 06:51] <rdieter> so those are getting set twice

[04/25/13 06:52] <halfie> I suspected something like that. So what do we do here? File upstream bug?
[04/25/13 06:53] <rdieter> I'll try to patch it so it gets set only once, then yeah, poke upsteam about it
Comment 3 Fedora Update System 2013-04-25 12:31:26 UTC 
lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19
Comment 4 Fedora Update System 2013-04-25 16:47:26 UTC 
Package lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-kde-0.3.2.1-2.fc19 lightdm-gtk-1.5.1-2.fc19 lightdm-1.6.0-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6618/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19
then log in and leave karma (feedback).
Comment 5 Rex Dieter 2013-04-26 05:03:26 UTC 
PIE build reverted for now, seems to cause crashes, bug #956868
Comment 6 Fedora Update System 2013-04-27 11:46:15 UTC 
lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-6713/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-4.fc19
Comment 7 Dan Williams 2013-04-30 20:27:58 UTC 
I've filed bug 958290 for a fix to gtk-doc so we don't all have to patch this ourselves.
Comment 8 Rex Dieter 2013-05-16 12:27:40 UTC 
lightdm was fixed, so doesn't depend on bug #892837 (removing)
Comment 10 Moez Roy 2015-03-14 14:55:52 UTC 
(In reply to Rex Dieter from comment #8)
> lightdm was fixed, so doesn't depend on bug #892837 (removing)

Please remind me why hardening was disabled for lightdm again? This bug references other RHBZ which are all closed right now.

Thanks.
Comment 11 Mamoru TASAKA 2015-03-14 15:09:30 UTC 
(In reply to Moez Roy from comment #10)
> (In reply to Rex Dieter from comment #8)
> > lightdm was fixed, so doesn't depend on bug #892837 (removing)
> 
> Please remind me why hardening was disabled for lightdm again? This bug
> references other RHBZ which are all closed right now.
> 
> Thanks.

You should try reading the history.

(In reply to Rex Dieter from comment #5)
> PIE build reverted for now, seems to cause crashes, bug #956868
Comment 12 Rex Dieter 2016-03-24 13:59:50 UTC 
* Wed Nov 25 2015 Rex Dieter <rdieter> - 1.10.6-2
...
- (re)enable hardening for f23+, at least (#956868)
Comment 13 Fedora Update System 2016-03-28 18:37:59 UTC 
lightdm-1.10.6-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-97272d76c4
Comment 14 Fedora Update System 2016-03-30 20:51:25 UTC 
lightdm-1.10.6-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.