Bug 973694 - mod_dav_svn should be Full RELRO
mod_dav_svn should be Full RELRO
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: subversion (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-12 09:56 EDT by Harald Reindl
Modified: 2013-09-06 12:06 EDT (History)
3 users (show)

See Also:
Fixed In Version: subversion-1.7.11-1.fc18.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-06 12:06:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2013-06-12 09:56:34 EDT
[root@srv-rhsoft:~]$ checksec --dir /usr/lib64/httpd/modules/
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE                                                                                                                       
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/libphp5.so                                                                                        
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_authz_svn.so                                                                                  
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_cgi.so                                                                                        
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_dav.so                                                                                        
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_dav_svn.so
Comment 1 Harald Reindl 2013-06-20 10:12:13 EDT
*what* "CLOSED RAWHIDE"?
that does not fix it for F18
Comment 2 Christopher Meng 2013-07-21 21:08:33 EDT
Has it been fixed now?
Comment 3 Harald Reindl 2013-07-22 07:35:50 EDT
no: http://koji.fedoraproject.org/koji/packageinfo?packageID=752
this was only updated for F20 and not for F18/F19
Comment 5 Harald Reindl 2013-07-25 14:47:02 EDT
still not "Full RELRO"

http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

[root@srv-rhsoft:~]$ /usr/bin/hardening-check /usr/lib64/httpd/modules/mod_dav_svn.so
/usr/lib64/httpd/modules/mod_dav_svn.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!

[root@srv-rhsoft:~]$ rpm -q mod_dav_svn
mod_dav_svn-1.7.11-1.fc18.x86_64
Comment 6 Joe Orton 2013-07-25 15:26:48 EDT
Thanks Harald - I'd spotted your comment between doing the f18 and f19 builds.  I've fired off a new f18 build with that fix, and will update the bodhi update:

http://koji.fedoraproject.org/koji/taskinfo?taskID=5657252
Comment 7 Harald Reindl 2013-07-25 15:29:04 EDT
no proble, thank you!

it's not too important, but on the other hand i love the idea to 
run "checksec --proc-all" (which is now in the Fedora repos and
have anything green at least on machines with no desktop session
running (and on the long run also with the desktop)
Comment 9 Harald Reindl 2013-07-25 16:09:14 EDT
thank you very much

mod_dav_svn-1.7.11-1.fc18.1.x86_64 makes it perfect

[root@srv-rhsoft:/downloads]$ hardening-check /usr/lib64/httpd/modules/mod_dav_svn.so
/usr/lib64/httpd/modules/mod_dav_svn.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes

Note You need to log in before you can comment on or make changes to this bug.