[Fedora-packaging] RFC mass bug reporting: checksec failures
Richard W.M. Jones
rjones at redhat.com
Wed Sep 16 19:59:10 UTC 2015
On Wed, Sep 16, 2015 at 07:24:02PM +0300, Alexander Todorov wrote:
> Including fedora-devel on this topic.
>
> На 12.09.2015 в 08:48, Dominik 'Rathann' Mierzejewski написа:
> >>>
> >>>Question is how to deal with these because they appear to be in the hundreds ?
> >>
> >>How many, exactly? We have around 20000 SRPMs in the distribution.
> >
>
> From today's Rawhide snapshot my script counted around 4500
> offending packages. You can find links to the script and execution
> log here:
> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/
The majority of the packages of mine on this list fall into
three groups:
- erlang packages
- mingw packages
- ocaml packages
I'm pretty sure mingw packages should all be excluded. Who knows what
Windows uses (and who cares).
Erlang code generation is an unknown quantity.
For OCaml, I think you should ignore anything under %{libdir}/ocaml/
since those are development files. (Their contents may eventually end
up in a binary, but we can worry about that when we see the binary).
That removes most of the failures.
For OCaml binaries, it seems as if most of them are like this:
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH ./usr/bin/ocamlc.opt
As far as I understand it, the only problems there are "Partial RELRO"
which should in an ideal world be "Full RELRO"; and "No PIE".
I guess we can fix the RELRO problem by linking with -z now. It may
require a compiler patch.
The OCaml compiler doesn't support PIE but it does support -fPIC. I'm
not clear if there would be some way to link the -fPIC objects into a
PIE executable?
In general OCaml is much more robust against these kinds of attacks,
since you have to deliberately let your pointers "go wild" by using
special "unsafe_*" functions, and that's an immediate red flag when
reviewing code.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
More information about the devel
mailing list