972967 – Build up-imapproxy with PIE support

Bug 972967 - Build up-imapproxy with PIE support

Summary: Build up-imapproxy with PIE support

Keywords:
Status:	CLOSED DUPLICATE of bug 955448
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	up-imapproxy
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Chris Adams
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-10 23:43 UTC by Harald Reindl
Modified:	2013-08-08 04:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-08 04:20:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
my personal spec-file attached (1.74 KB, text/x-rpm-spec) 2013-07-31 09:41 UTC, Harald Reindl	no flags	Details
View All

Description Harald Reindl 2013-06-10 23:43:51 UTC

network-services must be hardened builds

[root@testserver:~]$ hardening-check /usr/sbin/in.imapproxyd
/usr/sbin/in.imapproxyd:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

Comment 1 Harald Reindl 2013-07-13 10:00:36 UTC

can someone explain why there is no feedback and http://fedoraproject.org/wiki/Packaging:Guidelines is ignored?

"MUST enable" is pretty clear and no opt-in
the "Partial RELRO" should also be "FULL RELRO" 
http://www.exploit-db.com/papers/13203/

> If your package meets any of the following criteria you MUST enable 
> the PIE compiler flags:
> Your package is long running. This means it's likely 
> to be started and keep running until the machine is rebooted, 
> not start on demand and quit on idle

[root@testserver:~]$ checksec --file /usr/sbin/in.imapproxyd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/sbin/in.imapproxyd

Comment 2 Tim Jackson 2013-07-31 07:19:52 UTC

Harald, thank you for your report and your assistance in making Fedora better.
Clearly this package is important to you, so if the primary maintainer is not being as responsive as you would be able to be, please consider offering to take over or co-maintain the package.

I am not the maintainer of the up-imapproxy branch in Fedora, however this is interesting to me as the maintainer of the EPEL5 branch too. It seems from your comment that was posted in bug #465859 that you have built packages that fix this and other issues. Please elaborate, for example by posting a working spec file. I just tried very briefly to build with _hardened_build on F17 (yes, need to try on a newer version) but got:

gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'

Comment 3 Harald Reindl 2013-07-31 09:41:01 UTC

Created attachment 781033 [details]
my personal spec-file attached

sorry, but i have no free time to deal with the fedora build-systems and package-guidelines and my personal builds of any server-software we use does not ship any configurations for good reasons

Comment 4 Fedora Admin XMLRPC Client 2013-08-08 03:00:51 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 5 Chris Adams 2013-08-08 04:20:23 UTC


*** This bug has been marked as a duplicate of bug 955448 ***

Note You need to log in before you can comment on or make changes to this bug.