[Fedora-packaging] RFC mass bug reporting: checksec failures

Richard W.M. Jones rjones at redhat.com
Wed Sep 16 19:59:10 UTC 2015 

On Wed, Sep 16, 2015 at 07:24:02PM +0300, Alexander Todorov wrote:
> Including fedora-devel on this topic.
> 
> На 12.09.2015 в 08:48, Dominik 'Rathann' Mierzejewski написа:
> >>>
> >>>Question is how to deal with these because they appear to be in the hundreds ?
> >>
> >>How many, exactly? We have around 20000 SRPMs in the distribution.
> >
> 
> From today's Rawhide snapshot my script counted around 4500
> offending packages. You can find links to the script and execution
> log here:
> http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/

The majority of the packages of mine on this list fall into
three groups:

 - erlang packages

 - mingw packages

 - ocaml packages

I'm pretty sure mingw packages should all be excluded.  Who knows what
Windows uses (and who cares).

Erlang code generation is an unknown quantity.

For OCaml, I think you should ignore anything under %{libdir}/ocaml/
since those are development files.  (Their contents may eventually end
up in a binary, but we can worry about that when we see the binary).
That removes most of the failures.

For OCaml binaries, it seems as if most of them are like this:

  Partial RELRO   Canary found   NX enabled  No PIE   No RPATH  No RUNPATH  ./usr/bin/ocamlc.opt

As far as I understand it, the only problems there are "Partial RELRO"
which should in an ideal world be "Full RELRO"; and "No PIE".

I guess we can fix the RELRO problem by linking with -z now.  It may
require a compiler patch.

The OCaml compiler doesn't support PIE but it does support -fPIC.  I'm
not clear if there would be some way to link the -fPIC objects into a
PIE executable?

In general OCaml is much more robust against these kinds of attacks,
since you have to deliberately let your pointers "go wild" by using
special "unsafe_*" functions, and that's an immediate red flag when
reviewing code.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html

More information about the devel mailing list