On i386 systms, /usr/lib/libdv.so.4.0.1 is erroneously marked as requiring an
executable stack. This is because it uses several assembler source files that do
not contain a .note.GNU-stack section indicating that an exectuable stack is
unnecessary. As a result, any application which links to libdv.so.4 has an
executable stack. This is a security risk.
This can be fixed by either:
a) adding appropriate .note.GNU-stack sections to each assembler file
b) linking with the "-z noexecstack" option
c) running "execstack -c" on the final library
Attached is a patch to the .spec which implements option C.
Created attachment 110406 [details]
Patch against the RPM .spec to mark libdv as noexecstack
Ulrich Drepper said:
using the patch is not the best method
instead pass -Wa,--noexecstack to the compiler command line when compiling the
to bottom of each x86 asm file
Nicholas thank you for your notification of this issue. It will be fixed in FC4
<foo> once you made the changes, verify that readelf -l libdv.so |grep GNU_STACK
shows something like
<foo> 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8
<foo> note the RW at the end, not RWE
"execstack -q libdv.so" is easier, fwiw.
I've attached the patch that I submitted to upstream which does option A. It
won't apply unless you upgrade to something much more recent, but it's a start.
Created attachment 110408 [details]
Patch assembler source with .note.GNU-stack sections
Not yet able to upgrade to 0.104 due to Bug #147311. Meanwhile I have
applied the .section changes to the x86 .S files in 0.103.