Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#61231 - [scdoc] lacks PIE/RELRO

Attached to Project: Community Packages
Opened by Jelle van der Waa (jelly) - Tuesday, 01 January 2019, 14:39 GMT
Last edited by Brett Cornwall (ainola) - Friday, 04 January 2019, 05:34 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Brett Cornwall (ainola)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
scdoc lacks PIE/RELRO and on another note does not run the tests from upstream

Additional info:
* scdoc-1.6.0-2-x86_64.pkg.tar.xz


Steps to reproduce:

Build package or run checksec

scdoc W: ELF file ('usr/bin/scdoc') lacks FULL RELRO, check LDFLAGS.
scdoc W: ELF file ('usr/bin/scdoc') lacks PIE.
This task depends upon

Closed by  Brett Cornwall (ainola)
Friday, 04 January 2019, 05:34 GMT
Reason for closing:  Fixed
Comment by Jelle van der Waa (jelly) - Tuesday, 01 January 2019, 14:40 GMT
Add running tests
Comment by Brett Cornwall (ainola) - Thursday, 03 January 2019, 13:48 GMT
It looks like these options are potentially incompatible with -static. For example, using `make PREFIX=/usr LDFLAGS="$LDFLAGS"` RELRO and PIE are available, but when running `make PREFIX=/usr LDFLAGS="$LDFLAGS" -static` RELRO and PIE are unavailable.

Upstream was also quick to respond that this is by design. In such a case, what is advised?

https://todo.sr.ht/%7Esircmpwn/scdoc/17
Comment by Eli Schwartz (eschwartz) - Thursday, 03 January 2019, 20:36 GMT
Well, that's always the case with static binaries. On the other hand, we probably do not want to build it statically... what is the purpose to statically compiling our binaries???

Yes, there are special cases to want statically compiled binaries. I do this for busybox, but that's meant to be capable of operating completely independently of libc, which can come in useful if your system is borked and nothing works. Similarly, I jump through tremendous hoops to statically build the entire dependency tree of pacman in order to build an AUR package for "pacman-static" that can be used in recovery situations. Note: both use musl libc as that is a lot friendlier to static compilation!
Comment by Brett Cornwall (ainola) - Friday, 04 January 2019, 05:33 GMT
I'm in agreement with Eli. There's no point to keeping it static. Despite upstream's comment on there being a minuscule attack surface, the lack of a need for -static means I'll just override LDFLAGS.

Loading...