Bug 428096 - [RFE] rpmlint should warn about execstack in ELF files
Summary: [RFE] rpmlint should warn about execstack in ELF files
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-09 07:26 UTC by Kevin Kofler
Modified: 2008-06-26 08:30 UTC (History)
1 user (show)

Fixed In Version: 0.83-1.fc9
Clone Of:
Environment:
Last Closed: 2008-06-26 08:30:02 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Kevin Kofler 2008-01-09 07:26:34 UTC
Description of problem:
rpmlint should warn about ELF files which have the executable flag set in 
their GNU_STACK note. According to:
http://packages.debian.org/changelogs/pool/main/q/qimageblitz/qimageblitz_0.0.706674-2/changelog
Debian's lintian can catch this, and if rpmlint caught that too, bug 428036 
could have been avoided.

Version-Release number of selected component (if applicable):
rpmlint-0.82-2.fc9

How reproducible:
Always

Steps to Reproduce:
1. Run rpmlint on a RPM which contains execstack files, e.g. 
qimageblitz-0.0.4-0.2.svn706674.fc8.i386.rpm
  
Actual results:
No warnings or errors

Expected results:
Warning about libqimageblitz.so.4.0.0 having an executable stack

Comment 1 Ville Skyttä 2008-01-10 21:04:00 UTC
Sounds like a good idea.  Can you suggest a name for this warning/error and the
contents of the info message, and/or do you have a link where lintian's output
for this can be looked at?

Comment 2 Kevin Kofler 2008-01-12 07:51:02 UTC
From shared-libs.desc in Lintian 1.23.42:

Tag: shlib-without-PT_GNU_STACK-section
Type: error
Info: The listed shared libraries lacks a PT_GNU_STACK section. This forces
 the dynamic linker to make the stack executable.
 .
 The shared lib is linked either with a non-GNU linker or a linker which is
 older than two years. This problem can be fixed with a rebuild.

Tag: shlib-with-executable-stack
Type: warning
Info: The listed shared libraries declares the stack as executable.
 .
 Executable stack is usualy an error as it is only needed if the code
 contains GCC trampolines or similar constructs which uses code on the
 stack. One possible source for false positives are object files built
 from assembler files which don't define a proper .note.GNU-stack
 section.


(They aren't checking this for executables, but the same issue applies to 
executables too.)

Comment 3 Ville Skyttä 2008-01-29 22:01:12 UTC
Implemented upstream: http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1395

I have a question about the executable-stack message: is the message correct in
saying that missing .note.GNU-stack sections in assembler files are a source for
*false* positives or do such cases actually result in executable stack?

Comment 4 Kevin Kofler 2008-01-29 22:08:09 UTC
They actually do result in an executable stack. It's a "false positive" in the 
sense that the executable doesn't really need an executable stack, but still 
ends up with one. The "false positive" is in the toolchain, it's a true 
positive in rpmlint. I'm not sure how to best word it, the wording from lintian 
is confusing.

Comment 5 Ville Skyttä 2008-02-01 17:50:28 UTC
Ok, a hopefully improved explanation is now upstream:
http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1396

Comment 6 Fedora Update System 2008-06-09 18:33:09 UTC
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9

Comment 7 Fedora Update System 2008-06-09 18:35:06 UTC
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8

Comment 8 Fedora Update System 2008-06-11 04:34:26 UTC
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185

Comment 9 Fedora Update System 2008-06-26 08:29:51 UTC
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-06-26 08:30:45 UTC
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.