Red Hat Bugzilla – Bug 107002
Exec-stackable glibc does not depend on Exec-stackable kernel
Last modified: 2016-11-24 10:16:47 EST
Today a glibc that depends on an exec-stackable kernel leaked in Rawhide. The problem is this package does not depend on a kernel package that is exec-stack enabled. As a result a package manager will update the system and glibc without updating the kernel (most package managers do not update kernels automatically by default since this is deemed a dangerous operation). After the operation most apps wont execute anymore since they need the kernel facilities and the kernel was not updated. This includes rpm (in beecrypt). You can not even download the latest rawhide kernel and install with rpm to fix the mess. Game over.
But it does not depend on kernel with exec-shield. It depends on either kernel without exec-shield, or with non-buggy exec-shield support. Furthermore, dependencies on running kernel (as opposed to installed) are not expressible in rpm. To my knowledge, the buggy kernels (with non-executable stack, but without MAYEXEC flag on it, such that it cannot be made executable) have never been released in any final distro by us; beta testing includes such risks. You should be able to workaround this by disabling exec-shield (echo 0 > /proc/sys/kernel/exec-shield), upgrading kernel and rebooting.
Ok, fair enough.