Bug 1281830 - Harden all packages: deltarpm should ship position-independent executables
Harden all packages: deltarpm should ship position-independent executables
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: deltarpm (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jonathan Dieter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 09:33 EST by Christian Stadelmann
Modified: 2015-11-17 06:57 EST (History)
1 user (show)

See Also:
Fixed In Version: deltarpm-3.6-13.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-17 06:57:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christian Stadelmann 2015-11-13 09:33:10 EST
Description of problem:
According to https://fedoraproject.org/wiki/Changes/Harden_All_Packages all binary executables should be position-independent. deltarpm doesn't do so:

$ checksec --file /usr/bin/applydeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/applydeltarpm

$ checksec --file /usr/bin/combinedeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/combinedeltarpm

$ checksec --file /usr/bin/makedeltarpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/makedeltarpm

$ checksec --file /usr/bin/rpmdumpheader 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/rpmdumpheader

Version-Release number of selected component (if applicable):
deltarpm-3.6-11.fc23.x86_64
Comment 1 Fedora Update System 2015-11-14 15:53:16 EST
deltarpm-3.6-13.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0745c3f7a7
Comment 2 Fedora Update System 2015-11-15 00:25:17 EST
deltarpm-3.6-13.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update deltarpm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0745c3f7a7
Comment 3 Christian Stadelmann 2015-11-15 05:25:15 EST
The rpmdumpheader executable doesn't have stack canary enabled:

$ checksec --file /usr/bin/rpmdumpheader 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/rpmdumpheader

Is this intended?
Comment 4 Jonathan Dieter 2015-11-15 07:33:36 EST
Um, no.  Let me investigate.
Comment 5 Jonathan Dieter 2015-11-15 07:59:45 EST
Ok, I've investigated and we're doing exactly the same thing when generating rpmdumpheader as we are for all the other binaries.

According to http://stackoverflow.com/questions/24465014/gcc-generate-canary-or-not, gcc uses a heuristic when deciding whether or not to use a canary, and rpmdumpheader has one single function in it, main.  My guess is that rpmdumpheader doesn't fit into the heuristic, thus no stack canary is generated.

I'm not at all an expert when it comes to this, so feel free to correct me if I'm wrong.
Comment 6 Christian Stadelmann 2015-11-15 08:05:29 EST
I guess you are right about that. I'm no expert on it either.

Since rpmdumpheader has just a single function it might not have "enough stack" to make stack canary useful. Sorry for the noise.
Comment 7 Fedora Update System 2015-11-17 06:57:55 EST
deltarpm-3.6-13.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.