Hi, After upgrading to portage-2.1_pre4 I've had problems emerging both pax-utils and now the latest copy of portage. The problem occurs when checking sha1 hashes, and gives the errors below: >>> starting parallel fetching >>> emerge (1 of 51) sys-apps/portage-2.1_pre4-r1 to / >>> checksums files ;-) portage-2.1_pre4-r1.ebuild >>> checksums files ;-) portage-2.0.53.ebuild >>> checksums files ;-) portage-2.1_pre3-r1.ebuild >>> checksums files ;-) portage-2.0.54.ebuild >>> checksums files ;-) portage-2.0.51.22-r3.ebuild >>> checksums files ;-) files/05portage.envd >>> checksums files ;-) files/2.0.51.22-fixes.patch >>> checksums files ;-) files/xterm-titles.patch >>> checksums files ;-) files/digest-portage-2.0.53 >>> checksums files ;-) files/digest-portage-2.0.54 python: stack smashing attack in function sha_done() Aborted I've marked this as major since it impacts on the installation of programs. There is a work around (FEATURES="-strict") but this seems like only a temporary fix. It's very odd, since I've only had it with one of the four machines I run. I've tried recompiling pycrypto, and portage and finally python, but python failed one of it's tests (seemingly the sha test succeeded though). Portage 2.1_pre4 (default-linux/x86/2005.1, gcc-3.4.5, glibc-2.3.6-r2, 2.6.16-rc1 i686) ================================================================= System uname: 2.6.16-rc1 i686 Intel(R) Pentium(R) M processor 1400MHz Gentoo Base System version 1.12.0_pre15 ccache version 2.4 [enabled] dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache confcache cvs distlocks parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/overlays/shc-tools /usr/local/overlays/personal" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 GAPING_SECURITY_HOLE X acl acpi alsa amrr animation asf avi bash-completion berkdb bitmap-fonts bluetooth boundschecking browserplugin bzip2postgres cairo cdr crypt cups dbus dlloader dri dvb dvd dvi eds emboss encode ethereal foomaticdb fortran gdbm gif gimpprint glitz gnome gnuplot gps graphviz gstreamer gtk gtk2 gtkhtml hal hardened ipv6 java john jpeg ldap ldapsam libg++ libwww mad madwifi mailwrapper mikmod mmx mng mp3 mpeg mscash mssql mysql nautilus ncurses nls nptl nptlonly ntlm ogg oggvorbis opengl pam pcmcia pdflib pic pie plot png pylibpcap python quicktime readline sasl sdl slp smux snmp sox spell sse sse2 ssl svg svn-mirror syslog tcpd theora threads truetype truetype-fonts type1-fonts udev usb vorbis win32codecs winbind xml2 xv xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU video_cards_ati" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS
I can confirm this also. Though I see it when trying to emerge the lastest hardened kernel, sys-kernel/hardened-sources-2.6.14-r4. Portage 2.1_pre4 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.6-r2, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Pentium II (Deschutes) Gentoo Base System version 1.12.0_pre15 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx -funroll-all-loops" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx -funroll-all-loops" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig candy ccache distlocks fixpackages loadpolicy sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://mirror.gentoo.no/ http://pandemonium.tiscali.de/pub/gentoo/ http://mirror.espri.arizona.edu/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://gentoo.mirror.solnet.ch http://cudlug.cudenver.edu/gentoo/ http://ds.thn.htu.se/linux/gentoo http://modzer0.cs.uaf.edu/public/gentoo/ http://gentoo.ccccom.com http://mir.zyrianes.net/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.mirrors.tds.net/gentoo http://gentoo.arcticnetwork.ca/ http://gentoo.chem.wisc.edu/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.ynet.sk/pub http://lug.mtu.edu/gentoo http://gentoo.blueyonder.co.uk http://mirror.datapipe.net/gentoo http://gentoo.ITDNet.net/gentoo http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/ http://mirror.datapipe.net/gentoo http://gentoo.prz.rzeszow.pl http://mirrors.acm.cs.rpi.edu/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.math.bme.hu http://mirror.pudas.net/gentoo http://gentoo.netnitco.net http://gentoo.seren.com/gentoo http://prometheus.cs.wmich.edu/gentoo" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 acl acpi alsa apache2 apm arts avi bash-completion berkdb bzip2 bzlib crypt dba directfb doc eds emboss encode fbcon foomaticdb fortran gd gdbm gif gpm gstreamer hardened hardenedphp imlib ipv6 ithreads jpeg kerberos libg++ libwww mad madwifi md5sum mikmod mmx motif mp3 mpeg mysql ncurses nls nptl nptlonly offensive ogg oggvorbis oss pam pcntl pcre pdflib perl php png postgres python quicktime readline samba sasl session sockets spell ssl sysfs tcpd threads udev unicode userlocales vorbis xml2 xmms xsl zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LDFLAGS, LINGUAS
Using FEATURES="-strict" has allowed me to pass pax-utils and portage, but I'm now running into difficulties with xorg-x11-7.0-r1.
What version of pycrypto?
Everybody thats hitting this is using -O3 ?
wireless ~ # esearch pycrypto [ Results for search key : pycrypto ] [ Applications found : 1 ] * dev-python/pycrypto Latest version available: 2.0.1 Latest version installed: 2.0.1 Size of downloaded files: 150 kB Homepage: http://www.amk.ca/python/code/crypto.html Description: Python Cryptography Toolkit License: freedist And yes, I'm using -O3
* sys-apps/portage Latest version available: 2.1_pre4-r1 Latest version installed: 2.1_pre4-r1 Size of downloaded files: 731 kB Homepage: http://www.gentoo.org/ Description: The Portage Package Management System. The primary package management and distribution system for Gentoo. License: GPL-2 Upgrade of portage did not change outcome of emerging hardened-sources, but I did find that I could start the emerge of postgresql without issue, emerging now.
Wow, I'd never noticed that, I'd always thought I only ever used -O2, but sure enough, yep, I'm using -O3 as well. I've moving down to -O2 and see if that helps. I'll report back here.
I've got the same portage/pycrypto versions but I'm using -Os and uClibc and dont hit this bug. Can you try backing the CFLAGS down to '-Os -pipe' for the sake of testing
If it helps, I've had three other machines all work fine (emerging pax-utils etc), and I've just checked them. They're all running -O2. After recompiling pycrypto with -O2, I'm no longer having problems emerging pax-utils. Looks like this was the problem...
In normal python there was a call to this. use hardened && replace-flags -O3 -O2 We probably need todo the same for pycrypto.
Created attachment 78502 [details] testcase portage-independent testcase that crashes when pycrypto is compiled with ssp and -finline-functions.
The problem is triggered by -finline-functions and ssp: I crashed with CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds -fno-inline-functions to CFLAGS when ssp is used. Can people please test this one? I will probably add it to the stable pycrypto in a bit if it at least works around the problem.
*** Bug 121009 has been marked as a duplicate of this bug. ***
(In reply to comment #12) > The problem is triggered by -finline-functions and ssp: I crashed with > CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 > implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds > -fno-inline-functions to CFLAGS when ssp is used. Can people please test this > one? I will probably add it to the stable pycrypto in a bit if it at least > works around the problem. Works for me :)
work here as well. thanx! :)
Same here. I'm just using -O2 (and no -finline-functions in CFLAGS!). doing FEATURES="-strict" emerge pcyrypto fixed it.
*** Bug 121904 has been marked as a duplicate of this bug. ***
Ok, so, is this bug fixed then? I'm no longer suffering the issues, there have been many positive results at the end of this bug, and it refers to an (at least) two version old copy of portage, so I'm going to close the bug. If anyone feels it should stay open, or is still suffering problems, please post here and I'll reopen it again. Thanks...
(In reply to comment #14) > (In reply to comment #12) > > The problem is triggered by -finline-functions and ssp: I crashed with > > CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3 > > implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds > > -fno-inline-functions to CFLAGS when ssp is used. Can people please test this > > one? I will probably add it to the stable pycrypto in a bit if it at least > > works around the problem. > > Works for me :) > Worked for me. Did: CFLAGS="-fno-inline-functions" FEATURES="-strict" emerge -v =pycrypto-2.0.1-r5 compiled fine. Then did: CFLAGS="-fno-inline-functions" emerge -v =pycrypto-2.0.1-r5 compiled fine as well. and no more stack smashing attacks when emerging packages. Can we hard code this CFLAG into the ebuild so this works for everybody?
