Created attachment 942034 [details] Enable PIE (hardened build) If possible, please accept this patch to enable PIE when compiling bash, see https://fedoraproject.org/wiki/Packaging:Guidelines#PIE for more info. Bash is long running (as root too), and can accept input from untrusted sources as we saw in the last few weeks - this answers three of the listed criterias for enabling PIE. Enabling PIE on bash would probably make us a tiny bit safer. If there's no reason *not* to enable PIE, patch is attached :)
My rational for enabling this (apart from the criteria in the guidelines) is basically http://lcamtuf.blogspot.co.il/2014/09/bash-bug-apply-unofficial-patch-now.html (which is CVE-2014-6277). While we're probably safe from that (according to https://access.redhat.com/security/cve/CVE-2014-6277), there's still a possibility that more unknown bugs exists in bash with a similar effect. Enabling PIE is obviously not a magic solution for all vulnerabilities, but it might make us a bit safer (and make a potential attacker's life harder) against a certain class of them. I don't see a reason not to enable PIE on bash, I've been running with it since Sunday with no visible side-effects.
This seems like a sensible hardening defense. If performance on i686 is problematic, a possible intermediate step is to enable it on x86_64 only. Information on how to reproduce and confirm that the issue is fixed: Steps to Reproduce: 1. yum install checksec 2. checksec --file /usr/bin/bash Actual results: $ checksec --file /usr/bin/bash RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/bash Expected results: PIE should be enabled. Full RELRO should be present. Additional info: For more resources and discussion of PIE in general, see: https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html
Hi, I'm sorry for my MASSIVE response time. I've applied your patch Elad, bash should build with PIE from F22 onwards.