Re: rpmlint: new "executable stack" warnings on rawhide
On Tue, 2019-04-16 at 19:44 +0200, Fabio Valentini wrote: > On Tue, Apr 16, 2019 at 6:11 PM Adam Williamson > wrote: > > On Sun, 2019-03-17 at 12:07 +0100, Fabio Valentini wrote: > > > Hi everybody, > > > > > > I've noticed that as of some days ago, some packages I build on rawhide > > > are > > > now triggering the "W: executable-stack" warning for all included > > > executables and shared libraries. > > > > > > I'm not sure which change might be the cause of this, but meson 0.50.0 > > > seems to be a good candidate, since all my affected packages are built > > > with > > > meson and the new version landed six days ago. > > > > > > Is that new warning something we should worry about? > > > > Just to loop back on this...this wound up causing a release blocker > > bug: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1699099 > > > > mclasen, mcatanzaro and I investigated it and eventually worked out > > that it is indeed caused by a bug in meson 0.50.0: > > > > https://github.com/mesonbuild/meson/issues/5268 > > > > the offending meson change was actually later reverted for other > > reasons. I have now backported the reversion to the Fedora meson > > packages and am rebuilding everything that was built with meson 0.50.0 > > (it's likely that at least some of the rebuilds aren't strictly > > necessary, but it's easier to rebuild everything than try to figure out > > which packages did and didn't wind up with execstack marked bits). > > > > Note meson 0.50.0 wound up in the buildroots for F29 and F30 as well as > > Rawhide, so there are rebuilds for all three going through. > > > > Once I've rebuilt everything (there are quite a lot of things) I'll > > figure out a strategy for sending out updates. > > Since you probably have a list of affected packages / builds, I can > help by submitting updates for my own packages at least (once the > rebuilds are finished), if that helps. Thanks, but it's probably gonna be easier for one person just to do it, so we don't have to spend cycles trying to co-ordinate :P I'll let you know if I need help, though. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
On Tue, Apr 16, 2019 at 6:11 PM Adam Williamson wrote: > > On Sun, 2019-03-17 at 12:07 +0100, Fabio Valentini wrote: > > Hi everybody, > > > > I've noticed that as of some days ago, some packages I build on rawhide are > > now triggering the "W: executable-stack" warning for all included > > executables and shared libraries. > > > > I'm not sure which change might be the cause of this, but meson 0.50.0 > > seems to be a good candidate, since all my affected packages are built with > > meson and the new version landed six days ago. > > > > Is that new warning something we should worry about? > > Just to loop back on this...this wound up causing a release blocker > bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=1699099 > > mclasen, mcatanzaro and I investigated it and eventually worked out > that it is indeed caused by a bug in meson 0.50.0: > > https://github.com/mesonbuild/meson/issues/5268 > > the offending meson change was actually later reverted for other > reasons. I have now backported the reversion to the Fedora meson > packages and am rebuilding everything that was built with meson 0.50.0 > (it's likely that at least some of the rebuilds aren't strictly > necessary, but it's easier to rebuild everything than try to figure out > which packages did and didn't wind up with execstack marked bits). > > Note meson 0.50.0 wound up in the buildroots for F29 and F30 as well as > Rawhide, so there are rebuilds for all three going through. > > Once I've rebuilt everything (there are quite a lot of things) I'll > figure out a strategy for sending out updates. Since you probably have a list of affected packages / builds, I can help by submitting updates for my own packages at least (once the rebuilds are finished), if that helps. Fabio > Thanks for spotting this earlier, wish we'd worked out the cause at the > time, it would've saved some pain! > -- > Adam Williamson > Fedora QA Community Monkey > IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net > http://www.happyassassin.net > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
On Sun, 2019-03-17 at 12:07 +0100, Fabio Valentini wrote: > Hi everybody, > > I've noticed that as of some days ago, some packages I build on rawhide are > now triggering the "W: executable-stack" warning for all included > executables and shared libraries. > > I'm not sure which change might be the cause of this, but meson 0.50.0 > seems to be a good candidate, since all my affected packages are built with > meson and the new version landed six days ago. > > Is that new warning something we should worry about? Just to loop back on this...this wound up causing a release blocker bug: https://bugzilla.redhat.com/show_bug.cgi?id=1699099 mclasen, mcatanzaro and I investigated it and eventually worked out that it is indeed caused by a bug in meson 0.50.0: https://github.com/mesonbuild/meson/issues/5268 the offending meson change was actually later reverted for other reasons. I have now backported the reversion to the Fedora meson packages and am rebuilding everything that was built with meson 0.50.0 (it's likely that at least some of the rebuilds aren't strictly necessary, but it's easier to rebuild everything than try to figure out which packages did and didn't wind up with execstack marked bits). Note meson 0.50.0 wound up in the buildroots for F29 and F30 as well as Rawhide, so there are rebuilds for all three going through. Once I've rebuilt everything (there are quite a lot of things) I'll figure out a strategy for sending out updates. Thanks for spotting this earlier, wish we'd worked out the cause at the time, it would've saved some pain! -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
On Sun, Mar 17, 2019 at 12:07 PM Fabio Valentini wrote: > > Hi everybody, > > I've noticed that as of some days ago, some packages I build on rawhide are > now triggering the "W: executable-stack" warning for all included executables > and shared libraries. > > I'm not sure which change might be the cause of this, but meson 0.50.0 seems > to be a good candidate, since all my affected packages are built with meson > and the new version landed six days ago. > > Is that new warning something we should worry about? > > Fabio Well, it turns out, it *was* a bug in meson 0.50.0 which, by now, has affected a long list of packages and is starting to cause issues with SELinux denials, etc. The issue is tracked at [0] and meson has been fixed for all branches of fedora, rebuilds of affected packages are running now. Fabio [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1699099 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
Am Sonntag, den 17.03.2019, 15:00 +0100 schrieb Fabio Valentini: > On Sun, Mar 17, 2019 at 2:49 PM John Reiser > wrote: > > > I've noticed that as of some days ago, some packages I build on > > > rawhide are now triggering the "W: executable-stack" warning for > > > all included executables and shared libraries. > > > > > > I'm not sure which change might be the cause of this, but meson > > > 0.50.0 seems to be a good candidate, since all my affected > > > packages are built with meson and the new version landed six days > > > ago. > > > > > > Is that new warning something we should worry about? > > > > Yes. The warning means that an executable is not as secure as it > > could be against malware. > > > > The likely cause is some assembly-language source file that lacks a > > line such as > > .section.note.GNU-stack,"",@progbits > > which tells the assembler and static binder (/usr/bin/ld) that "the > > code in this file > > does not need an executable stack." > > No, that's not it. The packages that now trigger this warning don't > contain any assembly sources, only Vala (which is compiled to C) and > C. > For example: > https://taskotron.fedoraproject.org/artifacts/all/2ac7eb02-48a6-11e9-a48a-525400fc9f92/tests.yml/elementary-code-3.1.1-1.fc31.log > > Fabio > > > To identify the files that lack the line: > > find src -name '*.S' | sort > files-S.txt > > grep -l note.GNU-stack $(< files-S.txt) > files-non-W- > > stack.txt > > comm -3 files-S.txt files-non-W-stack.txt > > > > To remove the warning: append the line to the end of each file > > listed > > in the output from 'comm'. Did you examine the C code files generated from the Vala sources not to have local functions that are called through function pointers? See [1] as a reference. [1] https://www.win.tue.nl/~aeb/linux/hh/protection.html signature.asc Description: This is a digitally signed message part ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
On Sun, Mar 17, 2019 at 2:49 PM John Reiser wrote: > > > I've noticed that as of some days ago, some packages I build on rawhide are > > now triggering the "W: executable-stack" warning for all included > > executables and shared libraries. > > > > I'm not sure which change might be the cause of this, but meson 0.50.0 > > seems to be a good candidate, since all my affected packages are built with > > meson and the new version landed six days ago. > > > > Is that new warning something we should worry about? > > Yes. The warning means that an executable is not as secure as it could be > against malware. > > The likely cause is some assembly-language source file that lacks a line such > as > .section.note.GNU-stack,"",@progbits > which tells the assembler and static binder (/usr/bin/ld) that "the code in > this file > does not need an executable stack." No, that's not it. The packages that now trigger this warning don't contain any assembly sources, only Vala (which is compiled to C) and C. For example: https://taskotron.fedoraproject.org/artifacts/all/2ac7eb02-48a6-11e9-a48a-525400fc9f92/tests.yml/elementary-code-3.1.1-1.fc31.log Fabio > To identify the files that lack the line: > find src -name '*.S' | sort > files-S.txt > grep -l note.GNU-stack $(< files-S.txt) > files-non-W-stack.txt > comm -3 files-S.txt files-non-W-stack.txt > > To remove the warning: append the line to the end of each file listed > in the output from 'comm'. > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: rpmlint: new "executable stack" warnings on rawhide
I've noticed that as of some days ago, some packages I build on rawhide are now triggering the "W: executable-stack" warning for all included executables and shared libraries. I'm not sure which change might be the cause of this, but meson 0.50.0 seems to be a good candidate, since all my affected packages are built with meson and the new version landed six days ago. Is that new warning something we should worry about? Yes. The warning means that an executable is not as secure as it could be against malware. The likely cause is some assembly-language source file that lacks a line such as .section.note.GNU-stack,"",@progbits which tells the assembler and static binder (/usr/bin/ld) that "the code in this file does not need an executable stack." To identify the files that lack the line: find src -name '*.S' | sort > files-S.txt grep -l note.GNU-stack $(< files-S.txt) > files-non-W-stack.txt comm -3 files-S.txt files-non-W-stack.txt To remove the warning: append the line to the end of each file listed in the output from 'comm'. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org