955206 – tigervnc package should be built with PIE flags

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 955206 - tigervnc package should be built with PIE flags

Summary: tigervnc package should be built with PIE flags

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	tigervnc
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1063392
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-22 14:30 UTC by Dhiru Kholia
Modified:	2014-03-27 15:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	tigervnc-1.3.1-1.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-27 15:23:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch to enable PIE (320 bytes, patch) 2013-12-20 07:35 UTC, Dhiru Kholia	no flags	Details \| Diff
View All

Description Dhiru Kholia 2013-04-22 14:30:36 UTC

Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently tigervnc is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

tigervnc-server-1.2.80-0.12.20130314svn5065.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py tigervnc-server-1.2.80-0.12.20130314svn5065.fc19.x86_64.rpm
tigervnc-server,tigervnc-server-1.2.80-0.12.20130314svn5065.fc19.x86_64.rpm,/usr/bin/x0vncserver,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip

Comment 2 Fedora Admin XMLRPC Client 2013-05-13 14:53:52 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Dhiru Kholia 2013-12-20 07:35:44 UTC

Created attachment 839426 [details]
patch to enable PIE

Comment 4 Dhiru Kholia 2013-12-20 07:37:00 UTC

Hi Tim,

Can you please test the attached patch?

Comment 5 Tim Waugh 2014-01-13 15:25:34 UTC

Thanks, I will. I haven't forgotten it.

Note You need to log in before you can comment on or make changes to this bug.