Package: nodejs Version: 14.13.0~dfsg-1 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer, The /usr/bin/node ELF binary in the nodejs package has an executable stack and although I'm not certain whether this implies any potential for attack, it seemed worth reporting. I do not believe that the binary requires an executable stack. The following command can be used to read and check the stack headers for the binary: $ readelf --program-headers --wide /usr/bin/node | grep -w GNU_STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10 In particular the flags (RWE above) include the 'E' flag for executable in the package versions checked, which are: 12.19.0~dfsg-1 (bullseye), 12.20.1~dfsg-3 (sid) and 14.13.0~dfsg-1 (experimental). This was discovered from observation of the following message in the dmesg output on a Debian host: '/usr/bin/node' started with an executable stack There's some potentially-relevant reading in the Ubuntu and Gentoo security team documentation below: - https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart - https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-1-amd64 (SMP w/2 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nodejs depends on: ii libc6 2.31-9 ii libnode83 14.13.0~dfsg-1 Versions of packages nodejs recommends: ii ca-certificates 20200601 pn nodejs-doc <none> Versions of packages nodejs suggests: pn npm <none> -- no debconf information
