Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". However, currently racoon2 is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): racoon2-20100526a-18.fc18.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py racoon2-20100526a-18.fc18.x86_64.rpm racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-iked,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-spmd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip racoon2,racoon2-20100526a-18.fc18.x86_64.rpm,/usr/sbin/racoon2-spmdctl,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
Created attachment 748293 [details] this should enable PIE
Created attachment 748294 [details] this should fix the build
Pavel, The attached patches should fix the build (which is currently failing) and enable PIE. Please test them. Thanks!
Hi, Is there any progress on this? Does the attached modified .spec file works?
This should wait until racoon2 actually builds on recent Fedora systems, see bug #914426.
Hardened build won't work for me without further tweaking: gcc -o spmd -g -Wall -DSPMD_DEBUG -I../lib -DHAVE_CONFIG_H -DRACOON2_CONFIG_DIR=\"/etc/racoon2\" main.o dns.o udp.o query.o task.o signal.o shell.o utils.o cache.o spmd_pfkey.o fqdn_query.o -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L../lib -lcrypto -lracoon -lcrypto /bin/ld: spmdctl.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC spmdctl.o: could not read symbols: Bad value /bin/ld: main.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC main.o: could not read symbols: Bad value c Suggestions welcome.
Works for me now, fixed in rawhide.
racoon2-20100526a-27.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/racoon2-20100526a-27.fc19
Package racoon2-20100526a-27.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing racoon2-20100526a-27.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3616/racoon2-20100526a-27.fc19 then log in and leave karma (feedback).
Package racoon2-20100526a-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing racoon2-20100526a-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3616/racoon2-20100526a-28.fc19 then log in and leave karma (feedback).
racoon2-20100526a-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.