Bug 955458

Summary: racoon2 package should be built with PIE flags
Product: [Fedora] Fedora Reporter: Dhiru Kholia <dkholia>
Component: racoon2Assignee: Pavel Šimerda (pavlix) <psimerda>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bressers, dhiru, psimerda
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: racoon2-20100526a-28.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-02 09:25:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 914426    
Bug Blocks:    
Attachments:
Description Flags
this should enable PIE
none
this should fix the build none

Description Dhiru Kholia 2013-04-23 05:31:48 UTC 
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently racoon2 is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

racoon2-20100526a-18.fc18.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py racoon2-20100526a-18.fc18.x86_64.rpm
racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-iked,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-spmd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-spmdctl,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
Comment 1 Dhiru Kholia 2013-05-15 13:21:33 UTC 
Created attachment 748293 [details]
this should enable PIE
Comment 2 Dhiru Kholia 2013-05-15 13:22:05 UTC 
Created attachment 748294 [details]
this should fix the build
Comment 3 Dhiru Kholia 2013-05-15 13:23:12 UTC 
Pavel,

The attached patches should fix the build (which is currently failing) and enable PIE.

Please test them. Thanks!
Comment 4 Dhiru Kholia 2013-06-03 06:09:33 UTC 
Hi,

Is there any progress on this?

Does the attached modified .spec file works?
Comment 5 Pavel Šimerda (pavlix) 2014-01-07 13:54:53 UTC 
This should wait until racoon2 actually builds on recent Fedora systems, see bug #914426.
Comment 6 Pavel Šimerda (pavlix) 2014-02-17 17:22:00 UTC 
Hardened build won't work for me without further tweaking:

gcc -o spmd -g -Wall -DSPMD_DEBUG -I../lib  -DHAVE_CONFIG_H -DRACOON2_CONFIG_DIR=\"/etc/racoon2\" main.o dns.o udp.o query.o task.o signal.o shell.o utils.o cache.o spmd_pfkey.o fqdn_query.o -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L../lib -lcrypto -lracoon -lcrypto 
/bin/ld: spmdctl.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
spmdctl.o: could not read symbols: Bad value
/bin/ld: main.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
main.o: could not read symbols: Bad value
c

Suggestions welcome.
Comment 7 Pavel Šimerda (pavlix) 2014-02-19 08:26:37 UTC 
Works for me now, fixed in rawhide.
Comment 8 Fedora Update System 2014-03-07 11:02:05 UTC 
racoon2-20100526a-27.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/racoon2-20100526a-27.fc19
Comment 9 Fedora Update System 2014-03-08 03:36:33 UTC 
Package racoon2-20100526a-27.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing racoon2-20100526a-27.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3616/racoon2-20100526a-27.fc19
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-03-15 15:12:16 UTC 
Package racoon2-20100526a-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing racoon2-20100526a-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3616/racoon2-20100526a-28.fc19
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2014-04-02 09:25:57 UTC 
racoon2-20100526a-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.