Bug 972967

Summary: Build up-imapproxy with PIE support
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: up-imapproxyAssignee: Chris Adams <linux>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: manuel.wolfshant, rakesh.pandit, rpm
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-08 04:20:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
my personal spec-file attached none

Description Harald Reindl 2013-06-10 23:43:51 UTC 
network-services must be hardened builds

[root@testserver:~]$ hardening-check /usr/sbin/in.imapproxyd
/usr/sbin/in.imapproxyd:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 1 Harald Reindl 2013-07-13 10:00:36 UTC 
can someone explain why there is no feedback and http://fedoraproject.org/wiki/Packaging:Guidelines is ignored?

"MUST enable" is pretty clear and no opt-in
the "Partial RELRO" should also be "FULL RELRO" 
http://www.exploit-db.com/papers/13203/

> If your package meets any of the following criteria you MUST enable 
> the PIE compiler flags:
> Your package is long running. This means it's likely 
> to be started and keep running until the machine is rebooted, 
> not start on demand and quit on idle

[root@testserver:~]$ checksec --file /usr/sbin/in.imapproxyd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/in.imapproxyd
Comment 2 Tim Jackson 2013-07-31 07:19:52 UTC 
Harald, thank you for your report and your assistance in making Fedora better.
Clearly this package is important to you, so if the primary maintainer is not being as responsive as you would be able to be, please consider offering to take over or co-maintain the package.

I am not the maintainer of the up-imapproxy branch in Fedora, however this is interesting to me as the maintainer of the EPEL5 branch too. It seems from your comment that was posted in bug #465859 that you have built packages that fix this and other issues. Please elaborate, for example by posting a working spec file. I just tried very briefly to build with _hardened_build on F17 (yes, need to try on a newer version) but got:

gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'
Comment 3 Harald Reindl 2013-07-31 09:41:01 UTC 
Created attachment 781033 [details]
my personal spec-file attached

sorry, but i have no free time to deal with the fedora build-systems and package-guidelines and my personal builds of any server-software we use does not ship any configurations for good reasons
Comment 4 Fedora Admin XMLRPC Client 2013-08-08 03:00:51 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Chris Adams 2013-08-08 04:20:23 UTC 

*** This bug has been marked as a duplicate of bug 955448 ***