Bug 965511 - davfs2 package should be built with PIE flags
Summary: davfs2 package should be built with PIE flags
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: davfs2
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Will Woods
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-21 10:15 UTC by Dhiru Kholia
Modified: 2014-10-28 11:05 UTC (History)
4 users (show)

Fixed In Version: davfs2-1.4.7-6.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-28 11:05:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Dhiru Kholia 2013-05-21 10:15:26 UTC 
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package has suid binaries...".

However, currently davfs2 is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

davfs2-1.4.7-1.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py davfs2-1.4.7-1.fc19.x86_64.rpm
davfs2,davfs2-1.4.7-1.fc19.x86_64.rpm,/usr/sbin/mount.davfs,mode=0104755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
davfs2,davfs2-1.4.7-1.fc19.x86_64.rpm,/usr/sbin/umount.davfs,mode=0100755,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
Comment 2 Moez Roy 2014-10-11 11:49:38 UTC 
I have added global hardening flags in the spec file for EPEL7 and EL6.

I don't have commit access to the other branches.
Comment 3 Fedora Update System 2014-10-11 11:53:22 UTC 
davfs2-1.4.7-6.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/davfs2-1.4.7-6.el6
Comment 4 Fedora Update System 2014-10-11 18:02:44 UTC 
davfs2-1.4.7-6.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-10-13 15:07:59 UTC 
davfs2-1.4.7-6.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/davfs2-1.4.7-6.el7
Comment 6 Fedora Update System 2014-10-13 21:36:38 UTC 
Package davfs2-1.4.7-6.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing davfs2-1.4.7-6.el7'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3292/davfs2-1.4.7-6.el7
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-10-28 11:05:29 UTC 
davfs2-1.4.7-6.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.