Bug 428096 - [RFE] rpmlint should warn about execstack in ELF files
[RFE] rpmlint should warn about execstack in ELF files
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-09 02:26 EST by Kevin Kofler
Modified: 2008-06-26 04:30 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.83-1.fc9
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-26 04:30:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Kofler 2008-01-09 02:26:34 EST
Description of problem:
rpmlint should warn about ELF files which have the executable flag set in 
their GNU_STACK note. According to:
http://packages.debian.org/changelogs/pool/main/q/qimageblitz/qimageblitz_0.0.706674-2/changelog
Debian's lintian can catch this, and if rpmlint caught that too, bug 428036 
could have been avoided.

Version-Release number of selected component (if applicable):
rpmlint-0.82-2.fc9

How reproducible:
Always

Steps to Reproduce:
1. Run rpmlint on a RPM which contains execstack files, e.g. 
qimageblitz-0.0.4-0.2.svn706674.fc8.i386.rpm
  
Actual results:
No warnings or errors

Expected results:
Warning about libqimageblitz.so.4.0.0 having an executable stack
Comment 1 Ville Skyttä 2008-01-10 16:04:00 EST
Sounds like a good idea.  Can you suggest a name for this warning/error and the
contents of the info message, and/or do you have a link where lintian's output
for this can be looked at?
Comment 2 Kevin Kofler 2008-01-12 02:51:02 EST
From shared-libs.desc in Lintian 1.23.42:

Tag: shlib-without-PT_GNU_STACK-section
Type: error
Info: The listed shared libraries lacks a PT_GNU_STACK section. This forces
 the dynamic linker to make the stack executable.
 .
 The shared lib is linked either with a non-GNU linker or a linker which is
 older than two years. This problem can be fixed with a rebuild.

Tag: shlib-with-executable-stack
Type: warning
Info: The listed shared libraries declares the stack as executable.
 .
 Executable stack is usualy an error as it is only needed if the code
 contains GCC trampolines or similar constructs which uses code on the
 stack. One possible source for false positives are object files built
 from assembler files which don't define a proper .note.GNU-stack
 section.


(They aren't checking this for executables, but the same issue applies to 
executables too.)
Comment 3 Ville Skyttä 2008-01-29 17:01:12 EST
Implemented upstream: http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1395

I have a question about the executable-stack message: is the message correct in
saying that missing .note.GNU-stack sections in assembler files are a source for
*false* positives or do such cases actually result in executable stack?
Comment 4 Kevin Kofler 2008-01-29 17:08:09 EST
They actually do result in an executable stack. It's a "false positive" in the 
sense that the executable doesn't really need an executable stack, but still 
ends up with one. The "false positive" is in the toolchain, it's a true 
positive in rpmlint. I'm not sure how to best word it, the wording from lintian 
is confusing.
Comment 5 Ville Skyttä 2008-02-01 12:50:28 EST
Ok, a hopefully improved explanation is now upstream:
http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1396
Comment 6 Fedora Update System 2008-06-09 14:33:09 EDT
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9
Comment 7 Fedora Update System 2008-06-09 14:35:06 EDT
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8
Comment 8 Fedora Update System 2008-06-11 00:34:26 EDT
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpmlint'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185
Comment 9 Fedora Update System 2008-06-26 04:29:51 EDT
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-06-26 04:30:45 EDT
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.