Bug 973499 - programs in par2cmdline package have an executable stack
Summary: programs in par2cmdline package have an executable stack
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: par2cmdline (Show other bugs)
(Show other bugs)
Version: 19
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Erik van Pienbroek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-12 04:43 UTC by Dhiru Kholia
Modified: 2014-03-25 03:44 UTC (History)
2 users (show)

Fixed In Version: par2cmdline-0.4.tbb.20100203-16.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-29 18:27:49 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
this should get rid of executable stack (7.03 KB, text/x-rpm-spec)
2013-06-12 04:44 UTC, Dhiru Kholia 		no flags Details
this should get rid of executable stack (1.80 KB, patch)
2013-06-12 04:45 UTC, Dhiru Kholia 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Dhiru Kholia 2013-06-12 04:43:14 UTC 
Description of problem:

Many programs in par2cmdline package have an executable stack. 

"This makes it susceptible to stack based exploits should another weakness be found in the affected programs" (Steve Grubb).

Version-Release number of selected component (if applicable):

par2cmdline-0.4.tbb.20100203-11.fc18

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm
par2cmdline,par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm,/usr/bin/par2verify,mode=0100755,NX=Disabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None

Notice "NX=Disabled" field.
Comment 1 Dhiru Kholia 2013-06-12 04:44:44 UTC 
Created attachment 759942 [details]
this should get rid of executable stack
Comment 2 Dhiru Kholia 2013-06-12 04:45:15 UTC 
Created attachment 759943 [details]
this should get rid of executable stack
Comment 3 Dhiru Kholia 2013-06-12 04:48:17 UTC 
Modified .spec file + a tiny patch to fix this problem are attached.

par2cmdline-enable-NX.patch uses the same technique as used in the LAME package to fix the executable stack problem.

After applying the patch, I have verified that the automated self-tests and manual tests pass.
Comment 4 Dhiru Kholia 2013-06-14 04:00:33 UTC 
Hi Erik,

Is there any progress on this bug? Do the attached "patches" work?
Comment 5 Erik van Pienbroek 2013-06-14 16:50:01 UTC 
Thank you very much for the patch!
I'm going to push updated packages soon
Comment 6 Fedora Update System 2013-06-15 18:05:33 UTC 
par2cmdline-0.4.tbb.20100203-16.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/par2cmdline-0.4.tbb.20100203-16.fc19
Comment 7 Fedora Update System 2013-06-16 19:21:22 UTC 
Package par2cmdline-0.4.tbb.20100203-16.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing par2cmdline-0.4.tbb.20100203-16.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11002/par2cmdline-0.4.tbb.20100203-16.fc19
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-06-29 18:27:49 UTC 
par2cmdline-0.4.tbb.20100203-16.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.