Bug 965511 - davfs2 package should be built with PIE flags
davfs2 package should be built with PIE flags
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: davfs2 (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Will Woods
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-21 06:15 EDT by Dhiru Kholia
Modified: 2014-10-28 07:05 EDT (History)
4 users (show)

See Also:
Fixed In Version: davfs2-1.4.7-6.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-28 07:05:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dhiru Kholia 2013-05-21 06:15:26 EDT
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package has suid binaries...".

However, currently davfs2 is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

davfs2-1.4.7-1.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py davfs2-1.4.7-1.fc19.x86_64.rpm
davfs2,davfs2-1.4.7-1.fc19.x86_64.rpm,/usr/sbin/mount.davfs,mode=0104755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
davfs2,davfs2-1.4.7-1.fc19.x86_64.rpm,/usr/sbin/umount.davfs,mode=0100755,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
Comment 2 Moez Roy 2014-10-11 07:49:38 EDT
I have added global hardening flags in the spec file for EPEL7 and EL6.

I don't have commit access to the other branches.
Comment 3 Fedora Update System 2014-10-11 07:53:22 EDT
davfs2-1.4.7-6.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/davfs2-1.4.7-6.el6
Comment 4 Fedora Update System 2014-10-11 14:02:44 EDT
davfs2-1.4.7-6.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-10-13 11:07:59 EDT
davfs2-1.4.7-6.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/davfs2-1.4.7-6.el7
Comment 6 Fedora Update System 2014-10-13 17:36:38 EDT
Package davfs2-1.4.7-6.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing davfs2-1.4.7-6.el7'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3292/davfs2-1.4.7-6.el7
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-10-28 07:05:29 EDT
davfs2-1.4.7-6.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.