On i386 systms, /usr/lib/libdv.so.4.0.1 is erroneously marked as requiring an executable stack. This is because it uses several assembler source files that do not contain a .note.GNU-stack section indicating that an exectuable stack is unnecessary. As a result, any application which links to libdv.so.4 has an executable stack. This is a security risk. This can be fixed by either: a) adding appropriate .note.GNU-stack sections to each assembler file b) linking with the "-z noexecstack" option or c) running "execstack -c" on the final library Attached is a patch to the .spec which implements option C.
Created attachment 110406 [details] Patch against the RPM .spec to mark libdv as noexecstack
Ulrich Drepper said: using the patch is not the best method instead pass -Wa,--noexecstack to the compiler command line when compiling the asm files alternative add .section .note.GNU-stack,"",@progbits to bottom of each x86 asm file Nicholas thank you for your notification of this issue. It will be fixed in FC4 soon.
Test Procedure -------------- <foo> once you made the changes, verify that readelf -l libdv.so |grep GNU_STACK shows something like <foo> 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8 <foo> note the RW at the end, not RWE
"execstack -q libdv.so" is easier, fwiw. I've attached the patch that I submitted to upstream which does option A. It won't apply unless you upgrade to something much more recent, but it's a start.
Created attachment 110408 [details] Patch assembler source with .note.GNU-stack sections
Not yet able to upgrade to 0.104 due to Bug #147311. Meanwhile I have applied the .section changes to the x86 .S files in 0.103.