FS#43236 - [zip] missing RELRO (does not respect LDFLAGS)
Attached to Project:
Arch Linux
Opened by Daniel Micay (thestinger) - Friday, 26 December 2014, 08:01 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:23 GMT
Opened by Daniel Micay (thestinger) - Friday, 26 December 2014, 08:01 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:23 GMT
|
Details
All of the executables are missing RELRO because the build
system doesn't respect LDFLAGS. This can be solved either by
modifying the build system or by adding
makedepends=(hardening-wrapper).
The zipsplit executable is also missing stack canaries, but when I rebuild it the problem fixes itself. Perhaps it was built without -fstack-protector-strong in the makepkg configuration? |
This task depends upon
Closed by Gaetan Bisson (vesath)
Sunday, 18 January 2015, 21:23 GMT
Reason for closing: Fixed
Additional comments about closing: zip-3.0-6 in [extra]
Sunday, 18 January 2015, 21:23 GMT
Reason for closing: Fixed
Additional comments about closing: zip-3.0-6 in [extra]
Ignore this part - I was reading the wrong line in the output.
CC="gcc" CFLAGS="-I. -DUNIX -O3 -DBZIP2_SUPPORT -DUIDGID_NOT_16BIT -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DHAVE_DIRENT_H -DHAVE_TERMIOS_H" CPP="/usr/bin/cpp" OBJA="" OCRCU8="crc32_.o " OCRCTB="" BINDIR=/usr/local/bin MANDIR=manl LFLAGS1="" LFLAGS2=" -lbz2" LN="ln -s" CC_BZ="gcc" CFLAGS_BZ=" -O3" IZ_BZIP2="bzip2" LIB_BZ=""
So, there's still no RELRO and SSP:
% checksec --file /usr/bin/zip
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/zip
This prepare() function works:
prepare() {
cd "${srcdir}/${pkgname}${_pkgver}"
sed \
-e "/^CFLAGS_NOOPT =/s/\$/ $CPPFLAGS $CFLAGS/" \
-i unix/Makefile
sed \
-e "s/^LFLAGS1=''/LFLAGS1=$LDFLAGS/" \
-i unix/configure
}
% checksec --file /usr/bin/zip
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/zip
flags: unix/configure
sh unix/configure "${CC}" "${CFLAGS_NOOPT}" "${IZ_BZIP2}"