Bug 973512 - [F21] ghc-7.4.2 and 7.6.3 links executables with executable stack flag set
[F21] ghc-7.4.2 and 7.6.3 links executables with executable stack flag set
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ghc (Show other bugs)
21
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jens Petersen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-12 01:38 EDT by Dhiru Kholia
Modified: 2015-12-02 08:44 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-01 21:48:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dhiru Kholia 2013-06-12 01:38:03 EDT
Description of problem:

Many programs in the ghc-compiler package have an executable stack. 

"This makes it susceptible to stack based exploits should another weakness be found in the affected programs" (Steve Grubb).

Version-Release number of selected component (if applicable):

ghc-compiler-7.4.2-11.fc19

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py ghc-compiler-7.4.2-11.fc19.x86_64.rpm
...
ghc-compiler,ghc-compiler-7.4.2-11.fc19.x86_64.rpm,/usr/lib64/ghc-7.4.2/ghc,mode=0100755,NX=Disabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Disabled,CATEGORY=None

Notice "NX=Disabled" field.

Upstream fixed this "bug" 4 years back. See http://hackage.haskell.org/trac/ghc/ticket/703
Comment 1 Dhiru Kholia 2013-06-12 01:51:03 EDT
Re-opened upstream bug, http://hackage.haskell.org/trac/ghc/ticket/703
Comment 2 Jens Petersen 2013-07-09 22:09:18 EDT
Thank you very much for reporting this.

Should be fixed upstream, see

https://github.com/ghc/ghc/commit/08a38628f29df63ac842f4d083efb414f42d7bff

which I backported to rawhide in ghc-7.6.3-15.fc20.

Note this affects ghc 7.4 and 7.4 (but not 7.0).

I will backport later to F19 and F18.
Comment 3 Jens Petersen 2013-07-09 22:11:02 EDT
Also just to clarify the report it affects not just the ghc executables
themselves but all executables linked by ghc-7.4 and ghc-7.6. :)
Comment 4 Dhiru Kholia 2013-07-10 00:06:38 EDT
Hi Jens,

Thanks for tracking this.

Hoping to see the fixed packages land soon!

>> Also just to clarify the report it affects not just the ghc executables themselves but all executables linked by ghc-7.4 and ghc-7.6. :)

Yes.
Comment 5 Jens Petersen 2013-07-11 02:49:04 EDT
(In reply to Jens Petersen from comment #3)
> affects [...] all executables linked by ghc-7.4 and ghc-7.6.

Actually I am surprised but from my testing it seems ghc-7.4.1 (F18)
is not affected, so currently this only affects F19 and Rawhide
I believe.
Comment 6 Jens Petersen 2013-07-11 02:53:27 EDT
(In reply to Jens Petersen from comment #2)
> https://github.com/ghc/ghc/commit/08a38628f29df63ac842f4d083efb414f42d7bff
> which I backported to rawhide in ghc-7.6.3-15.fc20.

Unfortunately even with ghc-7.6.3-15.fc20 executables still
seems to get executable stack...
It also changed the ABI hash of the ghc library. :-(

For now I added a workaround to ghc-rpm-macros to clear
the execstack flag when building Fedora Haskell packages,
but leaving this open until the actual problem in ghc is fixed.
Comment 7 Fedora Update System 2013-07-11 04:45:30 EDT
ghc-rpm-macros-0.98.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ghc-rpm-macros-0.98.3-1.fc19
Comment 8 Fedora Update System 2013-07-21 20:36:34 EDT
ghc-rpm-macros-0.98.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Florian Weimer 2013-08-26 08:15:41 EDT
ghc still produces binaries with an executable stack.  Clearing up after %install in RPM macros is a nice kludge, but doesn't help users who build their own software.

Do we know why the version in F19 doesn't play nice with NX stacks?
Comment 10 Jens Petersen 2014-01-29 22:19:13 EST
I am not sure what went wrong in my earlier testing,
I did a new test build and it *does* seem to fix the problem. :)
So likely my earlier testing was incorrect. :-/

http://koji.fedoraproject.org/koji/taskinfo?taskID=6467138

This f21 scratch build should also work fine on F20.
(You can use lftp etc to pull down the rpms from kojipkgs.)
Comment 11 Jens Petersen 2014-01-29 22:26:52 EST
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6467138
> This f21 scratch build should also work fine on F20.

I forgot I only built it so far for i686.
Anyway I will build soon for rawhide and
then it should be easier to test.

As noted earlier, the ghc lib's ABI hash changes
so unfortunately this also requires some rebuilds
to push cleanly.
Comment 12 Dhiru Kholia 2014-01-30 00:29:35 EST
Thanks Jens! This should help in reducing the size of the following list,

http://people.fedoraproject.org/~halfie/scans/rawhide-execstack-list.txt
Comment 13 Jens Petersen 2014-01-30 02:54:18 EST
Here's a scratch build for x86_64 too:

http://koji.fedoraproject.org/koji/taskinfo?taskID=6467138

which should become identical to the final rawhide build
once I have tested it.
Comment 14 Jens Petersen 2014-01-30 03:02:47 EST
(In reply to Jens Petersen from comment #13)
> Here's a scratch build for x86_64 too:

Ugh, I mean http://koji.fedoraproject.org/koji/taskinfo?taskID=6470812
Comment 15 Jens Petersen 2014-01-30 03:47:35 EST
The saga gets better: the 64bit build above does not fix execstack!
unlike the 32bit one above... boggle, which is consistent with comment 6.
Comment 17 Jens Petersen 2015-01-07 02:01:06 EST
Still true for F21 alas.
Comment 18 Fedora End Of Life 2015-11-04 10:33:36 EST
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 19 Fedora End Of Life 2015-12-01 21:48:22 EST
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.