1283307 – icecat provides one library without stack protection

Bug 1283307 - icecat provides one library without stack protection

Summary: icecat provides one library without stack protection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	icecat
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Antonio T. (sagitter)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	harden-failure
TreeView+	depends on / blocked

Reported:	2015-11-18 16:41 UTC by Antonio T. (sagitter)
Modified:	2015-12-22 22:05 UTC (History)
CC List:	1 user (show)
Fixed In Version:	icecat-38.4.0-3.fc22 icecat-38.4.0-3.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-22 07:23:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Antonio T. (sagitter) 2015-11-18 16:41:29 UTC

Description of problem:
icecat has been rebuilt with all flags for "hardened build".

/usr/lib64/icecat-%version/libmozalloc.so
/usr/lib/icecat-%version/libmozalloc.so

are without stack protection:

# checksec --dir /usr/lib64/icecat-38.4.0
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat-bin
Full RELRO      No canary found   NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libmozalloc.so
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libxul.so
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/plugin-container
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/updater
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/webapprt-stub


Expected results:
All libraries should provide a 'Canary stack'.

Comment 1 Moez Roy 2015-12-08 21:47:59 UTC

What happens when it is compiled with --fstack-protector-all instead of --fstack-protector-strong? Do you get a canary?

Comment 2 Antonio T. (sagitter) 2015-12-10 10:25:39 UTC

(In reply to Moez Roy from comment #1)
> What happens when it is compiled with --fstack-protector-all instead of
> --fstack-protector-strong? Do you get a canary?

'-fstack-protector-all' seems activate 'canary' in libmozalloc.so: https://koji.fedoraproject.org/koji/taskinfo?taskID=12130939

Comment 3 Fedora Update System 2015-12-12 11:52:35 UTC

icecat-38.4.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba

Comment 4 Fedora Update System 2015-12-12 11:52:35 UTC

icecat-38.4.0-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567

Comment 5 Fedora Update System 2015-12-13 05:54:09 UTC

icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567

Comment 6 Fedora Update System 2015-12-13 17:22:09 UTC

icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba

Comment 7 Fedora Update System 2015-12-22 07:23:05 UTC

icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-12-22 22:05:03 UTC

icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.