Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 955147 - lightdm package should be built with PIE flags
Summary: lightdm package should be built with PIE flags
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: lightdm
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 956868
Blocks: harden-failure
TreeView+ depends on / blocked
 
Reported: 2013-04-22 13:27 UTC by Dhiru Kholia
Modified: 2016-03-30 20:51 UTC (History)
9 users (show)

Fixed In Version: lightdm-1.10.6-2.fc23
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-30 20:51:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1114106 0 None None None Never

Description Dhiru Kholia 2013-04-22 13:27:29 UTC
Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently lightdm is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

lightdm-1.6.0-2.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py lightdm-1.6.0-2.fc19.x86_64.rpm
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/bin/dm-tool,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-guest-session-wrapper,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/libexec/lightdm/lightdm-set-defaults,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None
lightdm,lightdm-1.6.0-2.fc19.x86_64.rpm,/usr/sbin/lightdm,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None

Comment 1 Dan Mashal 2013-04-22 15:11:09 UTC
Tried building with "%global _hardened_build 1" in the spec:

Making all in doc
make[2]: Entering directory `/builddir/build/BUILD/lightdm-1.6.0/doc'
  DOC   Scanning header files
  DOC   Introspecting gobjects
gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'
compilation terminated.
Compilation of scanner failed: 

http://kojipkgs.fedoraproject.org//work/tasks/8232/5288232/build.log

Comment 2 Rex Dieter 2013-04-25 11:53:59 UTC
Thanks to some prodding by halfie on irc,

[04/25/13 06:49] <halfie> rdieter, the build system of lightdm seems to be appending flags to existing flags?
[04/25/13 06:50] <rdieter> this line is the failure:  
[04/25/13 06:50] <rdieter> CC="$(GTKDOC_CC)" LD="$(GTKDOC_LD)" RUN="$(GTKDOC_RUN)" CFLAGS="$(GTKDOC_CFLAGS) $(CFLAGS)" LDFLAGS="$(GTKDOC_LIBS) $(LDFLAGS)" \
[04/25/13 06:50] <rdieter>             gtkdoc-scangobj $(SCANGOBJ_OPTIONS) $$scanobj_options --module=$(DOC_MODULE);
[04/25/13 06:51] <rdieter> yeah, looks like it
[04/25/13 06:51] <rdieter> GTKDOC_CC = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(INCLUDES) $(GTKDOC_DEPS_CFLAGS) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
[04/25/13 06:51] <rdieter> GTKDOC_LD = $(LIBTOOL) --tag=CC --mode=link $(CC) $(GTKDOC_DEPS_LIBS) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS)
[04/25/13 06:51] <rdieter> so those are getting set twice

[04/25/13 06:52] <halfie> I suspected something like that. So what do we do here? File upstream bug?
[04/25/13 06:53] <rdieter> I'll try to patch it so it gets set only once, then yeah, poke upsteam about it

Comment 3 Fedora Update System 2013-04-25 12:31:26 UTC
lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19

Comment 4 Fedora Update System 2013-04-25 16:47:26 UTC
Package lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-kde-0.3.2.1-2.fc19 lightdm-gtk-1.5.1-2.fc19 lightdm-1.6.0-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6618/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-3.fc19
then log in and leave karma (feedback).

Comment 5 Rex Dieter 2013-04-26 05:03:26 UTC
PIE build reverted for now, seems to cause crashes, bug #956868

Comment 6 Fedora Update System 2013-04-27 11:46:15 UTC
lightdm-kde-0.3.2.1-2.fc19, lightdm-gtk-1.5.1-2.fc19, lightdm-1.6.0-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-6713/lightdm-kde-0.3.2.1-2.fc19,lightdm-gtk-1.5.1-2.fc19,lightdm-1.6.0-4.fc19

Comment 7 Dan Williams 2013-04-30 20:27:58 UTC
I've filed bug 958290 for a fix to gtk-doc so we don't all have to patch this ourselves.

Comment 8 Rex Dieter 2013-05-16 12:27:40 UTC
lightdm was fixed, so doesn't depend on bug #892837 (removing)

Comment 10 Moez Roy 2015-03-14 14:55:52 UTC
(In reply to Rex Dieter from comment #8)
> lightdm was fixed, so doesn't depend on bug #892837 (removing)

Please remind me why hardening was disabled for lightdm again? This bug references other RHBZ which are all closed right now.

Thanks.

Comment 11 Mamoru TASAKA 2015-03-14 15:09:30 UTC
(In reply to Moez Roy from comment #10)
> (In reply to Rex Dieter from comment #8)
> > lightdm was fixed, so doesn't depend on bug #892837 (removing)
> 
> Please remind me why hardening was disabled for lightdm again? This bug
> references other RHBZ which are all closed right now.
> 
> Thanks.

You should try reading the history.

(In reply to Rex Dieter from comment #5)
> PIE build reverted for now, seems to cause crashes, bug #956868

Comment 12 Rex Dieter 2016-03-24 13:59:50 UTC
* Wed Nov 25 2015 Rex Dieter <rdieter> - 1.10.6-2
...
- (re)enable hardening for f23+, at least (#956868)

Comment 13 Fedora Update System 2016-03-28 18:37:59 UTC
lightdm-1.10.6-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-97272d76c4

Comment 14 Fedora Update System 2016-03-30 20:51:25 UTC
lightdm-1.10.6-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.