Red Hat Bugzilla – Bug 428096
[RFE] rpmlint should warn about execstack in ELF files
Last modified: 2008-06-26 04:30:45 EDT
Description of problem:
rpmlint should warn about ELF files which have the executable flag set in
their GNU_STACK note. According to:
Debian's lintian can catch this, and if rpmlint caught that too, bug 428036
could have been avoided.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run rpmlint on a RPM which contains execstack files, e.g.
No warnings or errors
Warning about libqimageblitz.so.4.0.0 having an executable stack
Sounds like a good idea. Can you suggest a name for this warning/error and the
contents of the info message, and/or do you have a link where lintian's output
for this can be looked at?
From shared-libs.desc in Lintian 1.23.42:
Info: The listed shared libraries lacks a PT_GNU_STACK section. This forces
the dynamic linker to make the stack executable.
The shared lib is linked either with a non-GNU linker or a linker which is
older than two years. This problem can be fixed with a rebuild.
Info: The listed shared libraries declares the stack as executable.
Executable stack is usualy an error as it is only needed if the code
contains GCC trampolines or similar constructs which uses code on the
stack. One possible source for false positives are object files built
from assembler files which don't define a proper .note.GNU-stack
(They aren't checking this for executables, but the same issue applies to
Implemented upstream: http://rpmlint.zarb.org/cgi-bin/trac.cgi/changeset/1395
I have a question about the executable-stack message: is the message correct in
saying that missing .note.GNU-stack sections in assembler files are a source for
*false* positives or do such cases actually result in executable stack?
They actually do result in an executable stack. It's a "false positive" in the
sense that the executable doesn't really need an executable stack, but still
ends up with one. The "false positive" is in the toolchain, it's a true
positive in rpmlint. I'm not sure how to best word it, the wording from lintian
Ok, a hopefully improved explanation is now upstream:
rpmlint-0.83-1.fc9 has been submitted as an update for Fedora 9
rpmlint-0.83-1.fc8 has been submitted as an update for Fedora 8
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update rpmlint'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5185
rpmlint-0.83-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rpmlint-0.83-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.