Bug 973694 - mod_dav_svn should be Full RELRO
Summary: mod_dav_svn should be Full RELRO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: subversion
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-12 13:56 UTC by Harald Reindl
Modified: 2013-09-06 16:06 UTC (History)
3 users (show)

Fixed In Version: subversion-1.7.11-1.fc18.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-06 16:06:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Harald Reindl 2013-06-12 13:56:34 UTC
[root@srv-rhsoft:~]$ checksec --dir /usr/lib64/httpd/modules/
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE                                                                                                                       
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/libphp5.so                                                                                        
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_authz_svn.so                                                                                  
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_cgi.so                                                                                        
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_dav.so                                                                                        
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   /usr/lib64/httpd/modules/mod_dav_svn.so

Comment 1 Harald Reindl 2013-06-20 14:12:13 UTC
*what* "CLOSED RAWHIDE"?
that does not fix it for F18

Comment 2 Christopher Meng 2013-07-22 01:08:33 UTC
Has it been fixed now?

Comment 3 Harald Reindl 2013-07-22 11:35:50 UTC
no: http://koji.fedoraproject.org/koji/packageinfo?packageID=752
this was only updated for F20 and not for F18/F19

Comment 5 Harald Reindl 2013-07-25 18:47:02 UTC
still not "Full RELRO"

http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

[root@srv-rhsoft:~]$ /usr/bin/hardening-check /usr/lib64/httpd/modules/mod_dav_svn.so
/usr/lib64/httpd/modules/mod_dav_svn.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no, not found!

[root@srv-rhsoft:~]$ rpm -q mod_dav_svn
mod_dav_svn-1.7.11-1.fc18.x86_64

Comment 6 Joe Orton 2013-07-25 19:26:48 UTC
Thanks Harald - I'd spotted your comment between doing the f18 and f19 builds.  I've fired off a new f18 build with that fix, and will update the bodhi update:

http://koji.fedoraproject.org/koji/taskinfo?taskID=5657252

Comment 7 Harald Reindl 2013-07-25 19:29:04 UTC
no proble, thank you!

it's not too important, but on the other hand i love the idea to 
run "checksec --proc-all" (which is now in the Fedora repos and
have anything green at least on machines with no desktop session
running (and on the long run also with the desktop)

Comment 9 Harald Reindl 2013-07-25 20:09:14 UTC
thank you very much

mod_dav_svn-1.7.11-1.fc18.1.x86_64 makes it perfect

[root@srv-rhsoft:/downloads]$ hardening-check /usr/lib64/httpd/modules/mod_dav_svn.so
/usr/lib64/httpd/modules/mod_dav_svn.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: yes


Note You need to log in before you can comment on or make changes to this bug.