Bug 972967 - Build up-imapproxy with PIE support
Build up-imapproxy with PIE support
Status: CLOSED DUPLICATE of bug 955448
Product: Fedora
Classification: Fedora
Component: up-imapproxy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Chris Adams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-10 19:43 EDT by Harald Reindl
Modified: 2013-08-08 00:20 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-08 00:20:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
my personal spec-file attached (1.74 KB, text/x-rpm-spec)
2013-07-31 05:41 EDT, Harald Reindl
no flags Details

  None (edit)
Description Harald Reindl 2013-06-10 19:43:51 EDT
network-services must be hardened builds

[root@testserver:~]$ hardening-check /usr/sbin/in.imapproxyd
/usr/sbin/in.imapproxyd:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
Comment 1 Harald Reindl 2013-07-13 06:00:36 EDT
can someone explain why there is no feedback and http://fedoraproject.org/wiki/Packaging:Guidelines is ignored?

"MUST enable" is pretty clear and no opt-in
the "Partial RELRO" should also be "FULL RELRO" 
http://www.exploit-db.com/papers/13203/

> If your package meets any of the following criteria you MUST enable 
> the PIE compiler flags:
> Your package is long running. This means it's likely 
> to be started and keep running until the machine is rebooted, 
> not start on demand and quit on idle

[root@testserver:~]$ checksec --file /usr/sbin/in.imapproxyd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/in.imapproxyd
Comment 2 Tim Jackson 2013-07-31 03:19:52 EDT
Harald, thank you for your report and your assistance in making Fedora better.
Clearly this package is important to you, so if the primary maintainer is not being as responsive as you would be able to be, please consider offering to take over or co-maintain the package.

I am not the maintainer of the up-imapproxy branch in Fedora, however this is interesting to me as the maintainer of the EPEL5 branch too. It seems from your comment that was posted in bug #465859 that you have built packages that fix this and other issues. Please elaborate, for example by posting a working spec file. I just tried very briefly to build with _hardened_build on F17 (yes, need to try on a newer version) but got:

gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'
Comment 3 Harald Reindl 2013-07-31 05:41:01 EDT
Created attachment 781033 [details]
my personal spec-file attached

sorry, but i have no free time to deal with the fedora build-systems and package-guidelines and my personal builds of any server-software we use does not ship any configurations for good reasons
Comment 4 Fedora Admin XMLRPC Client 2013-08-07 23:00:51 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Chris Adams 2013-08-08 00:20:23 EDT

*** This bug has been marked as a duplicate of bug 955448 ***

Note You need to log in before you can comment on or make changes to this bug.