https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Bug ID: 1238804 Summary: /usr/bin/perl is not linked with -z now Product: Fedora Version: rawhide Component: perl Assignee: jplesnik@redhat.com Reporter: ppisar@redhat.com QA Contact: extras-qa@fedoraproject.org CC: cweyl@alumni.drew.edu, iarnell@gmail.com, jplesnik@redhat.com, kasal@ucw.cz, perl-devel@lists.fedoraproject.org, ppisar@redhat.com, psabata@redhat.com, rc040203@freenet.de, tcallawa@redhat.com
/usr/bin/perl is not linked with -z now. The -z now is defined by -specs=/usr/lib/rpm/redhat/redhat-hardened-ld:
gcc -o libperl.so -shared -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -Wl,-soname -Wl,libperl.so.5.22 op.o perl.o gv.o toke.o perly.o pad.o regcomp.o dump.o util.o mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o pp_sort.o caretx.o perldtrace.o DynaLoader.o -lpthread -lresolv -lnsl -ldl -lm -lcrypt -lutil -lc Processing extracted/DCombiningClass.txt Processing extracted/DNumType.txt gcc -o perl -fstack-protector-strong -L/usr/local/lib -Wl,--enable-new-dtags perlmain.o libperl.so `cat ext.libs` -lpthread -lresolv -lnsl -ldl -lm -lcrypt -lutil -lc
The reason is we configure perl as:
/bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \ -Dccdlflags="-Wl,--enable-new-dtags" \ -Dlddlflags="-shared $RPM_OPT_FLAGS $RPM_LD_FLAGS" \
The $RPM_LD_FLAGS should go into ccdlflags too. ccdlflags is for linking programs dynamycally, lddlflags if for linking libraries dynamically.
Configure supports ldflags, but I worry this is has to be actively used by Makefile.PLs, so it is not much helpful.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|jplesnik@redhat.com |ppisar@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Fixed In Version| |perl-5.22.0-347.fc23 Resolution|--- |RAWHIDE Last Closed| |2015-07-09 11:45:40
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |ASSIGNED Resolution|RAWHIDE |--- Keywords| |Reopened
--- Comment #1 from Petr Pisar ppisar@redhat.com --- The issue is some perl packages fails tests or the interpreter segfaults if /usr/bin/perl is linked with -pie option.
This must be fixed or reverted.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|rawhide |23
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1242769, 1242802 Summary|/usr/bin/perl is not linked |/usr/bin/perl is not linked |with -z now |with -z now and -pie, perl | |crashes with -pie
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1242769 [Bug 1242769] perl-Algorithm-CurveFit-1.05-14.fc23 FTBFS: Failed test at t/02bad_deriv.t line 50 https://bugzilla.redhat.com/show_bug.cgi?id=1242802 [Bug 1242802] perl-smartmatch-engine-core-0.02-11.fc23 FTBFS: t/core.t test fails
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1199775 (harden-failure)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1199775 [Bug 1199775] Tracking bug for issues with using the Hardened Flags (Fails to Build, segfaults etc.)
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Pavel Raiskup praiskup@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |947022
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=947022 [Bug 947022] postgresql package should be built with PIE flags
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Pavel Raiskup praiskup@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On|947022 |
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=947022 [Bug 947022] postgresql package should be built with PIE flags
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #2 from Petr Pisar ppisar@redhat.com --- Known failures:
smartmatch-engine-core: tests segfaul on x86_64 perl-Algorithm-CurveFit: tests fails in this pure Perl code perl-B-Utils: tests fail on x86 perl-PDL-Graphics-PLplot: tests segfault on x86_64
I will disable hardening in perl.spec and I will work with upstream and Fedora toolchain maintainers to identify and fix the cause.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #3 from Petr Pisar ppisar@redhat.com --- Hardening disabled in:
perl-5.22.0-349.fc23 perl-5.22.0-349.fc24
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |h.reindl@thelounge.net
--- Comment #4 from Petr Pisar ppisar@redhat.com --- *** Bug 1283947 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #5 from Harald Reindl h.reindl@thelounge.net --- PIE is one thing
Full RELRO is another one http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html
[root@localhost:~]$ hardening-check /usr/bin/perl /usr/bin/perl: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: no, not found!
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #6 from Fedora End Of Life jkurik@fedoraproject.org --- This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'.
Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #7 from Harald Reindl h.reindl@thelounge.net --- and why can't i change the realse from 23 to 24 here?
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|23 |24
--- Comment #8 from Petr Pisar ppisar@redhat.com --- You can.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #9 from Harald Reindl h.reindl@thelounge.net --- Created attachment 1223847 --> https://bugzilla.redhat.com/attachment.cgi?id=1223847&action=edit screenshot bugzilla
no i can't - see screenshot - on top of this bugreport all options are missing
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #10 from Petr Pisar ppisar@redhat.com --- I have no idea what's wrong.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Emmanuel Seyman emmanuel@seyman.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |emmanuel@seyman.fr
--- Comment #11 from Emmanuel Seyman emmanuel@seyman.fr --- (In reply to Harald Reindl from comment #7)
and why can't i change the realse from 23 to 24 here?
The two main possibilities are:
1) Bugzilla sees you as logged out despite the fact that you're logged in.
2) You're logged in but don't have the necessary permissions to edit this bug.
You can check your permissions at https://bugzilla.redhat.com/userprefs.cgi?tab=permissions
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Matthew Miller mattdm@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mattdm@redhat.com Version|24 |rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #12 from Petr Pisar ppisar@redhat.com --- *** Bug 984185 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #13 from Petr Pisar ppisar@redhat.com --- /usr/bin/perl is now built with all necessary options, but the resulting executable differs from other executables:
$ readelf -d /usr/bin/rpm | grep NOW 0x0000000000000018 (BIND_NOW) 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE $ readelf -d /usr/bin/perl | grep NOW 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
I need to figure out if this is a problem or not.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #14 from Harald Reindl h.reindl@thelounge.net --- BIND_NOW is -z now aka "Full RELRO" http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html
it's peferred but not always possible
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
--- Comment #15 from Petr Pisar ppisar@redhat.com --- I've already got response from Florian Weimer. Because the perl was built with -Wl,--enable-new-dtags, the way how binding metadata are expresses is a little bit different, but still perfectly valid and secure.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.redhat.com | |/show_bug.cgi?id=1478470
--- Comment #16 from Petr Pisar ppisar@redhat.com --- I reported bug #1478470 against rpmgrill.
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Fixed In Version|perl-5.22.0-347.fc23 |perl-5.26.0-392.fc27 Resolution|--- |RAWHIDE Last Closed|2015-07-09 11:45:40 |2017-08-07 02:04:02
perl-devel@lists.fedoraproject.org