Bug 1051342 - no hardening build
Summary: no hardening build
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: qbittorrent
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: leigh scott
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-10 05:43 UTC by Harald Reindl
Modified: 2014-01-28 04:40 UTC (History)
2 users (show)

Fixed In Version: qbittorrent-3.1.5-3.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-12 05:07:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Harald Reindl 2014-01-10 05:43:58 UTC 
https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE

If your package meets any of the following criteria you
MUST  enable the PIE compiler flags:
 * Your package is long running
 * Your package runs as root

/usr/bin/qbittorrent-nox:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 1 leigh scott 2014-01-10 09:22:41 UTC 
Did you file a similar bug report against rb_libtorrent as qbittorrrent is only a front-end?
Comment 2 Harald Reindl 2014-01-10 09:33:48 UTC 
no - shared libraries are position indepndent by definition, the frontend needs to be fixed, not the so-library

/usr/lib64/libtorrent-rasterbar.so.7.0.0:
 Position Independent Executable: no, regular shared library (ignored)
Comment 3 Fedora Update System 2014-01-10 09:50:52 UTC 
qbittorrent-3.1.4-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/qbittorrent-3.1.4-2.fc20
Comment 4 Fedora Update System 2014-01-10 09:51:00 UTC 
qbittorrent-3.1.4-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/qbittorrent-3.1.4-2.fc19
Comment 5 Harald Reindl 2014-01-10 16:06:30 UTC 
qbittorrent-nox-3.1.4-3.fc20.x86_64 looks better

export LDFLAGS="-Wl,-z,now -Wl,-z,relro"
would also change "Immediate binding" aka "Full RELRO"

https://fedorahosted.org/fesco/ticket/563
http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

[root@srv-rhsoft:~]$ hardening-check /usr/bin/qbittorrent-nox
/usr/bin/qbittorrent-nox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 6 Fedora Update System 2014-01-11 08:48:48 UTC 
Package qbittorrent-3.1.4-4.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qbittorrent-3.1.4-4.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0661/qbittorrent-3.1.4-4.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-01-12 05:07:13 UTC 
qbittorrent-3.1.4-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-01-28 04:40:32 UTC 
qbittorrent-3.1.5-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.