Bug 973499 - programs in par2cmdline package have an executable stack
Summary: programs in par2cmdline package have an executable stack
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: par2cmdline (Show other bugs)
(Show other bugs)
Version: 19
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Erik van Pienbroek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-12 04:43 UTC by Dhiru Kholia
Modified: 2014-03-25 03:44 UTC (History)
2 users (show)

Fixed In Version: par2cmdline-0.4.tbb.20100203-16.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-29 18:27:49 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
this should get rid of executable stack (7.03 KB, text/x-rpm-spec)
2013-06-12 04:44 UTC, Dhiru Kholia
no flags Details
this should get rid of executable stack (1.80 KB, patch)
2013-06-12 04:45 UTC, Dhiru Kholia
no flags Details | Diff

Description Dhiru Kholia 2013-06-12 04:43:14 UTC
Description of problem:

Many programs in par2cmdline package have an executable stack. 

"This makes it susceptible to stack based exploits should another weakness be found in the affected programs" (Steve Grubb).

Version-Release number of selected component (if applicable):

par2cmdline-0.4.tbb.20100203-11.fc18

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm
par2cmdline,par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm,/usr/bin/par2verify,mode=0100755,NX=Disabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None

Notice "NX=Disabled" field.

Comment 1 Dhiru Kholia 2013-06-12 04:44:44 UTC
Created attachment 759942 [details]
this should get rid of executable stack

Comment 2 Dhiru Kholia 2013-06-12 04:45:15 UTC
Created attachment 759943 [details]
this should get rid of executable stack

Comment 3 Dhiru Kholia 2013-06-12 04:48:17 UTC
Modified .spec file + a tiny patch to fix this problem are attached.

par2cmdline-enable-NX.patch uses the same technique as used in the LAME package to fix the executable stack problem.

After applying the patch, I have verified that the automated self-tests and manual tests pass.

Comment 4 Dhiru Kholia 2013-06-14 04:00:33 UTC
Hi Erik,

Is there any progress on this bug? Do the attached "patches" work?

Comment 5 Erik van Pienbroek 2013-06-14 16:50:01 UTC
Thank you very much for the patch!
I'm going to push updated packages soon

Comment 6 Fedora Update System 2013-06-15 18:05:33 UTC
par2cmdline-0.4.tbb.20100203-16.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/par2cmdline-0.4.tbb.20100203-16.fc19

Comment 7 Fedora Update System 2013-06-16 19:21:22 UTC
Package par2cmdline-0.4.tbb.20100203-16.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing par2cmdline-0.4.tbb.20100203-16.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11002/par2cmdline-0.4.tbb.20100203-16.fc19
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-06-29 18:27:49 UTC
par2cmdline-0.4.tbb.20100203-16.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.