Bug 1283307 - icecat provides one library without stack protection
icecat provides one library without stack protection
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: icecat (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Antonio Trande
Fedora Extras Quality Assurance
:
Depends On:
Blocks: harden-failure
  Show dependency treegraph
 
Reported: 2015-11-18 11:41 EST by Antonio Trande
Modified: 2015-12-22 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version: icecat-38.4.0-3.fc22 icecat-38.4.0-3.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 02:23:07 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Antonio Trande 2015-11-18 11:41:29 EST
Description of problem:
icecat has been rebuilt with all flags for "hardened build".

/usr/lib64/icecat-%version/libmozalloc.so
/usr/lib/icecat-%version/libmozalloc.so

are without stack protection:

# checksec --dir /usr/lib64/icecat-38.4.0
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/icecat-bin
Full RELRO      No canary found   NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libmozalloc.so
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/libxul.so
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/plugin-container
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/updater
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/icecat-38.4.0/webapprt-stub


Expected results:
All libraries should provide a 'Canary stack'.
Comment 1 Moez Roy 2015-12-08 16:47:59 EST
What happens when it is compiled with --fstack-protector-all instead of --fstack-protector-strong? Do you get a canary?
Comment 2 Antonio Trande 2015-12-10 05:25:39 EST
(In reply to Moez Roy from comment #1)
> What happens when it is compiled with --fstack-protector-all instead of
> --fstack-protector-strong? Do you get a canary?

'-fstack-protector-all' seems activate 'canary' in libmozalloc.so: https://koji.fedoraproject.org/koji/taskinfo?taskID=12130939
Comment 3 Fedora Update System 2015-12-12 06:52:35 EST
icecat-38.4.0-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba
Comment 4 Fedora Update System 2015-12-12 06:52:35 EST
icecat-38.4.0-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567
Comment 5 Fedora Update System 2015-12-13 00:54:09 EST
icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-2277bad567
Comment 6 Fedora Update System 2015-12-13 12:22:09 EST
icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update icecat'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-028d64a3ba
Comment 7 Fedora Update System 2015-12-22 02:23:05 EST
icecat-38.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-12-22 17:05:03 EST
icecat-38.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.