Bug 983619

Summary: kdm must be a hardened build
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: kde-workspaceAssignee: Martin Bříza <mbriza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dvratil, extras-orphan, jgrulich, jreznik, kevin, ltinkl, mbriza, rdieter, rnovacek, ry, smparrish, than
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 13:16:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2013-07-11 14:42:00 UTC 
checksec:
kdm   1968 Partial RELRO     Canary found           NX enabled    No PIE 

* no "FULL RELRO"
* no PIE

kdm is a long-living process running even as root
______________________________________

If your package meets any of the following criteria you MUST enable the PIE compiler flags:

    Your package is long running. This means it's likely to be started and keep running until the machine is rebooted, not start on demand and quit on idle. 

    Your package has suid binaries, or binaries with capabilities. 

    Your package runs as root. 

If your package meets the following criteria you should consider enabling the PIE compiler flags:

    Your package accepts/processes untrusted input.
Comment 1 Martin Bříza 2013-08-05 11:40:45 UTC 
Included in F18/F19 commit b4210dfc and Rawhide commit 278f1e8c.
Comment 2 Harald Reindl 2013-08-07 15:29:05 UTC 
confirmed with "checksec --proc-all" and kdm-4.10.5-5.fc18.x86_64

kdm    302 Full RELRO        Canary found           NX enabled    PIE enabled
Comment 3 Martin Bříza 2013-10-16 13:16:15 UTC 
Fixed in Fedora kde-workspace git with commit e89a669ed2e553fbb572dac5677a577b5e1ed205 and kdm in versions newer than 4.10.97-3 is hardened.