Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package has suid binaries...". However, currently nspluginwrapper is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): nspluginwrapper-1.4.4-17.fc19.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py nspluginwrapper-1.4.4-17.fc19.x86_64.rpm nspluginwrapper,nspluginwrapper-1.4.4-17.fc19.x86_64.rpm,/usr/lib64/nspluginwrapper/npconfig,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None nspluginwrapper,nspluginwrapper-1.4.4-17.fc19.x86_64.rpm,/usr/lib64/nspluginwrapper/npplayer,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-local nspluginwrapper,nspluginwrapper-1.4.4-17.fc19.x86_64.rpm,/usr/lib64/nspluginwrapper/npviewer.bin,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-local nspluginwrapper,nspluginwrapper-1.4.4-17.fc19.x86_64.rpm,/usr/lib64/nspluginwrapper/plugin-config,mode=0104755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None
Added to nspluginwrapper-1.4.4-18.fc20 (the -fPIC and -z now flags). Anyway, the binaries does not contain text relocations.