FS#43236 - [zip] missing RELRO (does not respect LDFLAGS)

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Friday, 26 December 2014, 08:01 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:23 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

All of the executables are missing RELRO because the build system doesn't respect LDFLAGS. This can be solved either by modifying the build system or by adding makedepends=(hardening-wrapper).

The zipsplit executable is also missing stack canaries, but when I rebuild it the problem fixes itself. Perhaps it was built without -fstack-protector-strong in the makepkg configuration?
This task depends upon

Closed by  Gaetan Bisson (vesath)
Sunday, 18 January 2015, 21:23 GMT
Reason for closing:  Fixed
Additional comments about closing:  zip-3.0-6 in [extra]
Comment by Daniel Micay (thestinger) - Friday, 26 December 2014, 08:03 GMT
> The zipsplit executable is also missing stack canaries, but when I rebuild it the problem fixes itself. Perhaps it was built without -fstack-protector-strong in the makepkg configuration?

Ignore this part - I was reading the wrong line in the output.
Comment by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 05:56 GMT
Could you check that zip-3.0-5 does what you want?
Comment by Daniel Micay (thestinger) - Sunday, 18 January 2015, 14:14 GMT
The flags target in the Makefile runs the configure script and creates this top-level flags file with a bunch of hardcoded flags, so the modifications to the Makefile don't actually have an impact:


CC="gcc" CFLAGS="-I. -DUNIX -O3 -DBZIP2_SUPPORT -DUIDGID_NOT_16BIT -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DHAVE_DIRENT_H -DHAVE_TERMIOS_H" CPP="/usr/bin/cpp" OBJA="" OCRCU8="crc32_.o " OCRCTB="" BINDIR=/usr/local/bin MANDIR=manl LFLAGS1="" LFLAGS2=" -lbz2" LN="ln -s" CC_BZ="gcc" CFLAGS_BZ=" -O3" IZ_BZIP2="bzip2" LIB_BZ=""

So, there's still no RELRO and SSP:

% checksec --file /usr/bin/zip
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/zip

This prepare() function works:

prepare() {
cd "${srcdir}/${pkgname}${_pkgver}"
sed \
-e "/^CFLAGS_NOOPT =/s/\$/ $CPPFLAGS $CFLAGS/" \
-i unix/Makefile

sed \
-e "s/^LFLAGS1=''/LFLAGS1=$LDFLAGS/" \
-i unix/configure
}

% checksec --file /usr/bin/zip
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/zip
Comment by Daniel Micay (thestinger) - Sunday, 18 January 2015, 14:15 GMT
ugh, silly bug tracker eating tabs...
Comment by Daniel Micay (thestinger) - Sunday, 18 January 2015, 14:23 GMT
It doesn't actually care about the unsuffixed CFLAGS defined in the Makefile at all, which is why it actually uses -O3 (from the configure script):

flags: unix/configure
sh unix/configure "${CC}" "${CFLAGS_NOOPT}" "${IZ_BZIP2}"
Comment by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:23 GMT
Thanks!

Loading...