1283951 – no hardening build on F23

Bug 1283951 - no hardening build on F23

Summary: no hardening build on F23

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xorg-x11-server
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	X/OpenGL Maintenance List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-20 11:28 UTC by Harald Reindl
Modified:	2015-11-20 11:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-20 11:37:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Harald Reindl 2015-11-20 11:28:52 UTC

https://fedoraproject.org/wiki/Changes/Harden_All_Packages

Xorg  32117 Partial RELRO     Canary found           NX enabled    No PIE

since it is long running and runs mostly as root even before F23 the packaging guidelines where pretty clear that the package MUST be hardened

Comment 1 Hans de Goede 2015-11-20 11:37:17 UTC

<sigh> If you would have taken 10 seconds of your time to look at:

http://pkgs.fedoraproject.org/cgit/xorg-x11-server.git/tree/xorg-x11-server.spec

You would have seen the following there:

# X.org requires lazy relocations to work.
%undefine _hardened_build

Due to way how xorg loads video and input drivers (and other modules) It can NOT be build hardened. 

Fixing this is very hard, and would break compatiblity with e.g. the nvidia binary driver.

Comment 2 Harald Reindl 2015-11-20 11:38:08 UTC

FULL RELRO is one topic
PIE is a completly different one

Note You need to log in before you can comment on or make changes to this bug.