control: severity -1 important On 2025-02-15 16:14, Aurelien Jarno wrote: > Source: postgresql-pllua > Version: 1:2.0.12-3 > Severity: import > Tags: ftbfs patch upstream > X-Debbugs-Cc: [email protected] > User: [email protected] > Usertags: glibc2.41 dlopen-executable-stack > > Dear maintainer, > > Starting with glibc 2.41, the dlopen and dlmopen functions no longer make > the stack executable if a shared library requires it and instead just > fail. This change aims to improve security, as the previous behaviour > was used as a vector for RCE (CVE-2023-38408). > > Unfortunately the postgresql-17-pllua package provides an extension for > postgresql-17 which requires an executable stack. With this change, it > can't be loaded anymore, causing the testsuite to fail during build or > autopkgtest: > > | make: *** [/usr/lib/postgresql/17/lib/pgxs/src/makefiles/pgxs.mk:436: > installcheck] Error 1 > | 2025-02-13 07:40:07.976 UTC [4366] LOG: starting PostgreSQL 17.2 (Debian > 17.2-1+b2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-14) 14.2.0, > 64-bit > | 2025-02-13 07:40:07.977 UTC [4366] LOG: listening on IPv6 address "::1", > port 5433 > | 2025-02-13 07:40:07.977 UTC [4366] LOG: listening on IPv4 address > "127.0.0.1", port 5433 > | 2025-02-13 07:40:07.977 UTC [4366] LOG: listening on Unix socket > "/tmp/.s.PGSQL.5433" > | 2025-02-13 07:40:07.981 UTC [4369] LOG: database system was shut down at > 2025-02-13 07:40:07 UTC > | 2025-02-13 07:40:07.986 UTC [4366] LOG: database system is ready to accept > connections > | 2025-02-13 07:40:10.324 UTC [4407] debci@contrib_regression ERROR: could > not load library "/usr/lib/postgresql/17/lib/pllua.so": > /usr/lib/postgresql/17/lib/pllua.so: cannot enable executable stack as shared > object requires: Invalid argument > | 2025-02-13 07:40:10.324 UTC [4407] debci@contrib_regression STATEMENT: > create extension pllua; > | 2025-02-13 07:40:10.325 UTC [4407] debci@contrib_regression ERROR: > required extension "pllua" is not installed > | 2025-02-13 07:40:10.325 UTC [4407] debci@contrib_regression HINT: Use > CREATE EXTENSION ... CASCADE to install required extensions too. > | 2025-02-13 07:40:10.325 UTC [4407] debci@contrib_regression STATEMENT: > create extension hstore_pllua; > | 2025-02-13 07:40:10.352 UTC [4413] debci@contrib_regression ERROR: > language "pllua" does not exist > | 2025-02-13 07:40:10.352 UTC [4413] debci@contrib_regression HINT: Use > CREATE EXTENSION to load the language into the database. > | 2025-02-13 07:40:10.352 UTC [4413] debci@contrib_regression STATEMENT: do > language pllua $$ > > For a full log, see: > https://ci.debian.net/data/autopkgtest/unstable/amd64/p/postgresql-pllua/57637374/log.gz > > While the toolchain default to non-executable stack, postgresql-pllua > uses a custom ld command to embed lua code into the binary, which marks > the resulting binary as requiring stack. This can be fixed with the > following patch: > > --- postgresql-pllua-2.0.12.orig/Makefile > +++ postgresql-pllua-2.0.12/Makefile > @@ -42,7 +42,7 @@ OBJCOPY ?= objcopy > # GNU LD and compatible linkers (including recent clang lld) should be > # fine with -r -b binary, but this does break on some ports. > > -BIN_LD ?= $(LD) -r -b binary > +BIN_LD ?= $(LD) -r -b binary -znoexecstack > > # If BIN_ARCH and BIN_FMT are defined, we assume LD_BINARY is broken > # and do this instead. This is apparently needed for linux-mips64el,
Starting with binutils 2.44-2, a missing .note.GNU-stack note is be considered as a non-executable stack instead of an executable stack. Your package has bin binNMUed against this version, so it is now fine with regards to glibc 2.41. That said it is likely that next versions of binutils (not target at trixie) will just error out in case of a missing .note.GNU-stack. Therefore I keep this bug opened, but lower its severity to normal. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
