FS#75560 - [matterbridge] disable executable stack caused by library bug

Attached to Project: Community Packages
Opened by Daniel Micay (thestinger) - Tuesday, 09 August 2022, 10:16 GMT
Last edited by Caleb Maclennan (alerque) - Monday, 22 August 2022, 11:21 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Caleb Maclennan (alerque)
Justin Kromlinger (hashworks)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

One of the libraries included by matterbridge has an ARM assembly code file that's included for x86_64 and causes the executable to have an executable stack due to the .note.GNU-stack marker being wrapped inside an ifdef for ARM so it's missing elsewhere and the stack gets marked executable. I've reported the bug upstream but the project has 2 commits from over a year ago.

https://github.com/Benau/go_rlottie/issues/1

The project the code originates from appears to have fixed the issue in 2019 (https://github.com/Samsung/rlottie/commit/7bcbea3a5038e054a464153c8ebdb2e22336226d) but go_rlottie copy-pasted it from somewhere else that it was copy-pasted or forked. Not great since they aren't shipping other important fixes and all the more reason to want a non-executable stack and other mitigations since there is C and C++ code in matterbridge not getting security fixes due to copy-pasting into various Go libraries and not maintaining it.

For now, it would be nice to fix this in the package by adding -Wl,-z,noexecstack to LDFLAGS:

export CGO_LDFLAGS="$LDFLAGS -Wl,-z,noexecstack"

You can check before and after using scanelf from pax-utils:

% scanelf -e /usr/bin/matterbridge
TYPE STK/REL/PTL FILE
ET_DYN RWX R-- RW- /usr/bin/matterbridge

% scanelf -e /usr/bin/matterbridge
TYPE STK/REL/PTL FILE
ET_DYN RW- R-- RW- /usr/bin/matterbridge

Once this is resolved, you can add back MemoryDenyWriteExecute=true to the service file. Separately from that you might as well also add ProcSubset=pid and ProtectProc=invisible.
This task depends upon

Closed by  Caleb Maclennan (alerque)
Monday, 22 August 2022, 11:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  matterbridge-1.25.2-2
Comment by Daniel Micay (thestinger) - Tuesday, 09 August 2022, 11:08 GMT
Upstream developer responded and said they'll fix it in a few days:

https://github.com/Benau/go_rlottie/issues/1#issuecomment-1209237893

I'm not familiar with Go's package ecosystem so I'm not sure how quickly it will propagate from there. Depends on how stuff is pinned. That project only has 2 commits and no tags. Not sure if stuff is simply grabbing latest master or pinning a revision.

Loading...