Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". However, currently lightdm is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): lightdm-1.6.0-2.fc19.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py lightdm-1.6.0-2.fc19.x86_64.rpm lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/bin/dm-tool,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-guest-session-wrapper,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-set-defaults,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/sbin/lightdm,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
Tried building with "%global _hardened_build 1" in the spec: Making all in doc make[2]: Entering directory `/builddir/build/BUILD/lightdm-1.6.0/doc' DOC Scanning header files DOC Introspecting gobjects gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old' compilation terminated. Compilation of scanner failed: http://kojipkgs.fedoraproject.org//work/tasks/8232/5288232/build.log
Thanks to some prodding by halfie on irc, [04/25/13 06:49] <halfie> rdieter, the build system of lightdm seems to be appending flags to existing flags? [04/25/13 06:50] <rdieter> this line is the failure: [04/25/13 06:50] <rdieter> CC="$(GTKDOC_CC)" LD="$(GTKDOC_LD)" RUN="$(GTKDOC_RUN)" CFLAGS="$(GTKDOC_CFLAGS) $(CFLAGS)" LDFLAGS="$(GTKDOC_LIBS) $(LDFLAGS)" \ [04/25/13 06:50] <rdieter> gtkdoc-scangobj $(SCANGOBJ_OPTIONS) $$scanobj_options --module=$(DOC_MODULE); [04/25/13 06:51] <rdieter> yeah, looks like it [04/25/13 06:51] <rdieter> GTKDOC_CC = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(INCLUDES) $(GTKDOC_DEPS_CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) [04/25/13 06:51] <rdieter> GTKDOC_LD = $(LIBTOOL) --tag=CC --mode=link $(CC) $(GTKDOC_DEPS_LIBS) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) [04/25/13 06:51] <rdieter> so those are getting set twice [04/25/13 06:52] <halfie> I suspected something like that. So what do we do here? File upstream bug? [04/25/13 06:53] <rdieter> I'll try to patch it so it gets set only once, then yeah, poke upsteam about it
lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19
Package lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lightdm-kde-0.3.2.1-2.fc19 lightdm-gtk-1.5.1-2.fc19 lightdm-1.6.0-3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6618/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19 then log in and leave karma (feedback).
PIE build reverted for now, seems to cause crashes, bug #956868
lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-6713/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-4.fc19
I've filed bug 958290 for a fix to gtk-doc so we don't all have to patch this ourselves.
lightdm was fixed, so doesn't depend on bug #892837 (removing)
(In reply to Rex Dieter from comment #8) > lightdm was fixed, so doesn't depend on bug #892837 (removing) Please remind me why hardening was disabled for lightdm again? This bug references other RHBZ which are all closed right now. Thanks.
(In reply to Moez Roy from comment #10) > (In reply to Rex Dieter from comment #8) > > lightdm was fixed, so doesn't depend on bug #892837 (removing) > > Please remind me why hardening was disabled for lightdm again? This bug > references other RHBZ which are all closed right now. > > Thanks. You should try reading the history. (In reply to Rex Dieter from comment #5) > PIE build reverted for now, seems to cause crashes, bug #956868
* Wed Nov 25 2015 Rex Dieter <rdieter> - 1.10.6-2 ... - (re)enable hardening for f23+, at least (#956868)
lightdm-1.10.6-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-97272d76c4
lightdm-1.10.6-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.