Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 973499 - programs in par2cmdline package have an executable stack
programs in par2cmdline package have an executable stack
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: par2cmdline (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Erik van Pienbroek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-12 00:43 EDT by Dhiru Kholia
Modified: 2014-03-24 23:44 EDT (History)
2 users (show)

See Also:
Fixed In Version: par2cmdline-0.4.tbb.20100203-16.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-29 14:27:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
this should get rid of executable stack (7.03 KB, text/x-rpm-spec)
2013-06-12 00:44 EDT, Dhiru Kholia 		no flags Details
this should get rid of executable stack (1.80 KB, patch)
2013-06-12 00:45 EDT, Dhiru Kholia 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Dhiru Kholia 2013-06-12 00:43:14 EDT 
Description of problem:

Many programs in par2cmdline package have an executable stack. 

"This makes it susceptible to stack based exploits should another weakness be found in the affected programs" (Steve Grubb).

Version-Release number of selected component (if applicable):

par2cmdline-0.4.tbb.20100203-11.fc18

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm
par2cmdline,par2cmdline-0.4.tbb.20100203-11.fc18.x86_64.rpm,/usr/bin/par2verify,mode=0100755,NX=Disabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None

Notice "NX=Disabled" field.
Comment 1 Dhiru Kholia 2013-06-12 00:44:44 EDT 
Created attachment 759942 [details]
this should get rid of executable stack
Comment 2 Dhiru Kholia 2013-06-12 00:45:15 EDT 
Created attachment 759943 [details]
this should get rid of executable stack
Comment 3 Dhiru Kholia 2013-06-12 00:48:17 EDT 
Modified .spec file + a tiny patch to fix this problem are attached.

par2cmdline-enable-NX.patch uses the same technique as used in the LAME package to fix the executable stack problem.

After applying the patch, I have verified that the automated self-tests and manual tests pass.
Comment 4 Dhiru Kholia 2013-06-14 00:00:33 EDT 
Hi Erik,

Is there any progress on this bug? Do the attached "patches" work?
Comment 5 Erik van Pienbroek 2013-06-14 12:50:01 EDT 
Thank you very much for the patch!
I'm going to push updated packages soon
Comment 6 Fedora Update System 2013-06-15 14:05:33 EDT 
par2cmdline-0.4.tbb.20100203-16.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/par2cmdline-0.4.tbb.20100203-16.fc19
Comment 7 Fedora Update System 2013-06-16 15:21:22 EDT 
Package par2cmdline-0.4.tbb.20100203-16.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing par2cmdline-0.4.tbb.20100203-16.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11002/par2cmdline-0.4.tbb.20100203-16.fc19
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-06-29 14:27:49 EDT 
par2cmdline-0.4.tbb.20100203-16.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.