1954049 – [34 Regression] libgcrypt-1.9.2-2.fc34.x86_64 lost CET protection

Bug 1954049 - [34 Regression] libgcrypt-1.9.2-2.fc34.x86_64 lost CET protection

Summary: [34 Regression] libgcrypt-1.9.2-2.fc34.x86_64 lost CET protection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libgcrypt
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Jelen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1954422
TreeView+	depends on / blocked

Reported:	2021-04-27 13:57 UTC by H.J. Lu
Modified:	2021-05-03 02:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libgcrypt-1.9.3-2.fc34
Clone Of:
Clones:	1954422 (view as bug list)
Environment:
Last Closed:	2021-05-03 02:05:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description H.J. Lu 2021-04-27 13:57:25 UTC

[root@gnu-tgl-1 hjl]# rpm -qf /lib64/libgcrypt.so.20     
libgcrypt-1.9.2-2.fc34.x86_64
[root@gnu-tgl-1 hjl]# readelf -n /lib64/libgcrypt.so.20 | grep feature
[root@gnu-tgl-1 hjl]# 

[hjl@gnu-efi-2 ~]$ rpm -qf /lib64/libgcrypt.so.20    
libgcrypt-1.8.7-1.fc33.x86_64
[hjl@gnu-efi-2 ~]$ readelf -n /lib64/libgcrypt.so.20 | grep feature 
	x86 feature: IBT, SHSTK
[hjl@gnu-efi-2 ~]$

Comment 1 Jakub Jelen 2021-04-27 14:11:24 UTC

Hi, do you have some hints where do these come from (compiler flags, configuration?)?

Does it work with new 1.9.3 version?

https://bodhi.fedoraproject.org/updates/FEDORA-2021-54a91de592

Comment 2 Jakub Jelen 2021-04-27 14:31:22 UTC

ok, the version 1.9.3 is not any better:

[root@fedora34 ~]# readelf -n /lib64/libgcrypt.so.20 | grep feature

Probably this?

https://src.fedoraproject.org/rpms/libgcrypt/c/8c18517a2519c8acbf705612db701c063990ff59

I read it as it is available in master already. Unfortunately, there is no better reference. Let me check.

Comment 3 H.J. Lu 2021-04-27 14:41:14 UTC

Let me take a look to fix it.

Comment 4 H.J. Lu 2021-04-27 16:52:41 UTC

This patch:

https://gitlab.com/cet-software/libgcrypt/-/commit/b04c0a86b19856071c29d2a6285f3240c606ee7a

should work.

Comment 5 Jakub Jelen 2021-04-27 18:39:31 UTC

Thank you. I verified that the local build has the expected flags.

Did you submit the patch upstream already or should I do that?

Comment 6 H.J. Lu 2021-04-27 19:47:35 UTC

(In reply to Jakub Jelen from comment #5)
> Thank you. I verified that the local build has the expected flags.
> 
> Did you submit the patch upstream already or should I do that?

https://lists.gnupg.org/pipermail/gcrypt-devel/2021-April/005147.html

Comment 7 Fedora Update System 2021-04-28 08:12:30 UTC

FEDORA-2021-46873b3b46 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-46873b3b46

Comment 8 Fedora Update System 2021-04-29 01:03:54 UTC

FEDORA-2021-46873b3b46 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-46873b3b46`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-46873b3b46

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-05-03 02:05:36 UTC

FEDORA-2021-46873b3b46 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.