Bug 955156

Summary: varnish package should be built with PIE flags
Product: [Fedora] Fedora Reporter: Dhiru Kholia <dkholia>
Component: varnishAssignee: Ingvar Hagelund <ingvar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bressers, ingvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: varnish-3.0.3-5.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-28 20:54:41 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
this should enable PIE
none
Ouput of rpm-chksec on varnish packages with enabled _hardened_build none

Description Dhiru Kholia 2013-04-22 09:33:44 EDT
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently varnish is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

varnish-3.0.3-4.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py varnish-3.0.3-4.fc19.x86_64.rpm
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishadm,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishhist,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishlog,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishncsa,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishreplay,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishsizes,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishstat,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishtest,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-local
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/bin/varnishtop,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
varnish,varnish-3.0.3-4.fc19.x86_64.rpm,/usr/sbin/varnishd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
Comment 1 Dhiru Kholia 2013-05-14 23:42:10 EDT
Created attachment 748047 [details]
this should enable PIE
Comment 2 Dhiru Kholia 2013-05-14 23:44:10 EDT
Ingvar,

Can you please try the attached patch which fixes the reported problem?
Comment 3 Ingvar Hagelund 2013-05-15 08:23:44 EDT
I'm a bit confused about this.

About PIE:

Varnish does not have built-in support for pie, like eg. Apache httpd has (ie. no --enable-pie). The package guidelines says I MUST enable the PIE compiler flags, but using the proposed macro _hardened_build only adds -fPIC to the library builds. -fPIE is not added anywhere. Do I have to do this by hand? How?

About PIC:

I thought Fedora/autotools would add -fPIC by itself when available, if the configure script looks for it. While it seems it does in varnish' case, not all gcc calls get it added. 

Adding _hardened_build adds -fPIC to all libtool-called gcc library builds, so I guess that's allright. Right?

How does this differ from just calling configure with --with-pic?

I built packages for f19 with _hardened_build, see http://users.linpro.no/ingvar/varnish/3.0.3/3.0.3-5

See attachement for result after adding _hardened_build. Is this sufficient?

Ingvar
Comment 4 Ingvar Hagelund 2013-05-15 08:24:55 EDT
Created attachment 748246 [details]
Ouput of rpm-chksec on varnish packages with enabled _hardened_build
Comment 5 Dhiru Kholia 2013-05-15 09:01:10 EDT
(In reply to comment #3)
> Varnish does not have built-in support for pie, like eg. Apache httpd has
> (ie. no --enable-pie). The package guidelines says I MUST enable the PIE
> compiler flags, but using the proposed macro _hardened_build only adds -fPIC
> to the library builds. -fPIE is not added anywhere. Do I have to do this by
> hand? How?

See the output of the following commands,

✗ rpm --define '_hardened_build 1' -E '%{?__global_cflags}'
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1

✗ rpm --define '_hardened_build 1' -E '%{?__global_ldflags}'
-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld

$ cat /usr/lib/rpm/redhat/redhat-hardened-cc1
*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

Notice that the "-fPIE" flag is automatically added once you include "%global _hardened_build 1" in your .spec file.

Please see my attachment for a patched .spec file (in case of problems).

> I built packages for f19 with _hardened_build, see
> http://users.linpro.no/ingvar/varnish/3.0.3/3.0.3-5
> 
> See attachement for result after adding _hardened_build. Is this sufficient?

Yes, it is sufficient.

Thanks!
Comment 6 Ingvar Hagelund 2013-05-16 02:34:34 EDT
Okay, I have built packages, and would like to add an update. Should I tag it as bugfix or security?

Ingvar
Comment 7 Dhiru Kholia 2013-05-16 02:52:09 EDT
Tagging it as "bugfix" is OK I think.
Comment 8 Fedora Update System 2013-05-16 07:07:59 EDT
varnish-3.0.3-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/varnish-3.0.3-5.fc17
Comment 9 Fedora Update System 2013-05-16 07:08:09 EDT
varnish-3.0.3-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/varnish-3.0.3-5.fc18
Comment 10 Fedora Update System 2013-05-16 07:09:23 EDT
varnish-3.0.3-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/varnish-3.0.3-5.fc19
Comment 11 Fedora Update System 2013-05-16 13:21:39 EDT
Package varnish-3.0.3-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing varnish-3.0.3-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8338/varnish-3.0.3-5.fc19
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-05-28 20:54:41 EDT
varnish-3.0.3-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-05-28 23:02:21 EDT
varnish-3.0.3-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-06-26 21:53:36 EDT
varnish-3.0.3-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.