Bug 120846 - pycrypto causes a problem with ssp & inline functions
|
Bug#:
120846
|
Product: Gentoo Linux
|
Version: 2005.1
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: python@gentoo.org
|
Reported By: ikelos@gentoo.org
|
|
Component: Hardened
|
|
|
URL:
|
|
Summary: pycrypto causes a problem with ssp & inline functions
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2006-01-29 11:21 0000
|
Hi, After upgrading to portage-2.1_pre4 I've had problems emerging both
pax-utils and now the latest copy of portage. The problem occurs when checking
sha1 hashes, and gives the errors below:
>>> starting parallel fetching
>>> emerge (1 of 51) sys-apps/portage-2.1_pre4-r1 to /
>>> checksums files ;-) portage-2.1_pre4-r1.ebuild
>>> checksums files ;-) portage-2.0.53.ebuild
>>> checksums files ;-) portage-2.1_pre3-r1.ebuild
>>> checksums files ;-) portage-2.0.54.ebuild
>>> checksums files ;-) portage-2.0.51.22-r3.ebuild
>>> checksums files ;-) files/05portage.envd
>>> checksums files ;-) files/2.0.51.22-fixes.patch
>>> checksums files ;-) files/xterm-titles.patch
>>> checksums files ;-) files/digest-portage-2.0.53
>>> checksums files ;-) files/digest-portage-2.0.54
python: stack smashing attack in function sha_done()
Aborted
I've marked this as major since it impacts on the installation of programs.
There is a work around (FEATURES="-strict") but this seems like only a
temporary fix. It's very odd, since I've only had it with one of the four
machines I run. I've tried recompiling pycrypto, and portage and finally
python, but python failed one of it's tests (seemingly the sha test succeeded
though).
Portage 2.1_pre4 (default-linux/x86/2005.1, gcc-3.4.5, glibc-2.3.6-r2,
2.6.16-rc1 i686)
=================================================================
System uname: 2.6.16-rc1 i686 Intel(R) Pentium(R) M processor 1400MHz
Gentoo Base System version 1.12.0_pre15
ccache version 2.4 [enabled]
dev-lang/python: 2.4.2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils: 2.16.1-r1
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-mtune=pentium4 -march=pentium4 -O3 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache confcache cvs distlocks parallel-fetch sandbox
sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/shc-tools /usr/local/overlays/personal"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 GAPING_SECURITY_HOLE X acl acpi alsa amrr animation asf avi
bash-completion berkdb bitmap-fonts bluetooth boundschecking browserplugin
bzip2postgres cairo cdr crypt cups dbus dlloader dri dvb dvd dvi eds emboss
encode ethereal foomaticdb fortran gdbm gif gimpprint glitz gnome gnuplot gps
graphviz gstreamer gtk gtk2 gtkhtml hal hardened ipv6 java john jpeg ldap
ldapsam libg++ libwww mad madwifi mailwrapper mikmod mmx mng mp3 mpeg mscash
mssql mysql nautilus ncurses nls nptl nptlonly ntlm ogg oggvorbis opengl pam
pcmcia pdflib pic pie plot png pylibpcap python quicktime readline sasl sdl slp
smux snmp sox spell sse sse2 ssl svg svn-mirror syslog tcpd theora threads
truetype truetype-fonts type1-fonts udev usb vorbis win32codecs winbind xml2 xv
xvid zlib elibc_glibc input_devices_keyboard input_devices_mouse
input_devices_evdev kernel_linux userland_GNU video_cards_ati"
Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS
I can confirm this also. Though I see it when trying to emerge the lastest
hardened kernel, sys-kernel/hardened-sources-2.6.14-r4.
Portage 2.1_pre4 (default-linux/x86/2005.0, gcc-3.4.5, glibc-2.3.6-r2,
2.6.11-hardened-r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Pentium II (Deschutes)
Gentoo Base System version 1.12.0_pre15
dev-lang/python: 2.3.5, 2.4.2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils: 2.16.1-r1
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx
-funroll-all-loops"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=pentium2 -mtune=pentium2 -fomit-frame-pointer -pipe -mmmx
-funroll-all-loops"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig candy ccache distlocks fixpackages loadpolicy sandbox
sfperms strict"
GENTOO_MIRRORS="http://gentoo.osuosl.org/
http://distro.ibiblio.org/pub/linux/distributions/gentoo/
http://mirror.gentoo.no/ http://pandemonium.tiscali.de/pub/gentoo/
http://mirror.espri.arizona.edu/gentoo/ http://ftp.easynet.nl/mirror/gentoo/
http://gentoo.mirror.solnet.ch http://cudlug.cudenver.edu/gentoo/
http://ds.thn.htu.se/linux/gentoo http://modzer0.cs.uaf.edu/public/gentoo/
http://gentoo.ccccom.com http://mir.zyrianes.net/gentoo/
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
http://gentoo.mirrors.tds.net/gentoo http://gentoo.arcticnetwork.ca/
http://gentoo.chem.wisc.edu/gentoo/
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
http://open-systems.ufl.edu/mirrors/gentoo http://gentoo.ynet.sk/pub
http://lug.mtu.edu/gentoo http://gentoo.blueyonder.co.uk
http://mirror.datapipe.net/gentoo http://gentoo.ITDNet.net/gentoo
http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/
http://mirror.datapipe.net/gentoo http://gentoo.prz.rzeszow.pl
http://mirrors.acm.cs.rpi.edu/gentoo/ http://mirror.usu.edu/mirrors/gentoo/
http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.math.bme.hu
http://mirror.pudas.net/gentoo http://gentoo.netnitco.net
http://gentoo.seren.com/gentoo http://prometheus.cs.wmich.edu/gentoo"
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 acl acpi alsa apache2 apm arts avi bash-completion berkdb bzip2 bzlib
crypt dba directfb doc eds emboss encode fbcon foomaticdb fortran gd gdbm gif
gpm gstreamer hardened hardenedphp imlib ipv6 ithreads jpeg kerberos libg++
libwww mad madwifi md5sum mikmod mmx motif mp3 mpeg mysql ncurses nls nptl
nptlonly offensive ogg oggvorbis oss pam pcntl pcre pdflib perl php png
postgres python quicktime readline samba sasl session sockets spell ssl sysfs
tcpd threads udev unicode userlocales vorbis xml2 xmms xsl zlib elibc_glibc
kernel_linux userland_GNU"
Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LDFLAGS, LINGUAS
Using FEATURES="-strict" has allowed me to pass pax-utils and portage, but I'm
now running into difficulties with xorg-x11-7.0-r1.
What version of pycrypto?
Everybody thats hitting this is using -O3 ?
wireless ~ # esearch pycrypto
[ Results for search key : pycrypto ]
[ Applications found : 1 ]
* dev-python/pycrypto
Latest version available: 2.0.1
Latest version installed: 2.0.1
Size of downloaded files: 150 kB
Homepage: http://www.amk.ca/python/code/crypto.html
Description: Python Cryptography Toolkit
License: freedist
And yes, I'm using -O3
* sys-apps/portage
Latest version available: 2.1_pre4-r1
Latest version installed: 2.1_pre4-r1
Size of downloaded files: 731 kB
Homepage: http://www.gentoo.org/
Description: The Portage Package Management System. The primary package
management and distribution system for Gentoo.
License: GPL-2
Upgrade of portage did not change outcome of emerging hardened-sources, but I
did find that I could start the emerge of postgresql without issue, emerging
now.
Wow, I'd never noticed that, I'd always thought I only ever used -O2, but sure
enough, yep, I'm using -O3 as well. I've moving down to -O2 and see if that
helps. I'll report back here.
I've got the same portage/pycrypto versions but I'm using -Os and uClibc and
dont
hit this bug. Can you try backing the CFLAGS down to '-Os -pipe'
for the sake of testing
If it helps, I've had three other machines all work fine (emerging pax-utils
etc), and I've just checked them. They're all running -O2.
After recompiling pycrypto with -O2, I'm no longer having problems emerging
pax-utils. Looks like this was the problem...
In normal python there was a call to this.
use hardened && replace-flags -O3 -O2
We probably need todo the same for pycrypto.
The problem is triggered by -finline-functions and ssp: I crashed with
CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3
implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds
-fno-inline-functions to CFLAGS when ssp is used. Can people please test this
one? I will probably add it to the stable pycrypto in a bit if it at least
works around the problem.
*** Bug 121009 has been marked as a duplicate of this bug. ***
(In reply to comment #12)
> The problem is triggered by -finline-functions and ssp: I crashed with
> CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3
> implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds
> -fno-inline-functions to CFLAGS when ssp is used. Can people please test this
> one? I will probably add it to the stable pycrypto in a bit if it at least
> works around the problem.
Works for me :)
work here as well. thanx! :)
Same here. I'm just using -O2 (and no -finline-functions in CFLAGS!).
doing FEATURES="-strict" emerge pcyrypto fixed it.
*** Bug 121904 has been marked as a duplicate of this bug. ***
Ok, so, is this bug fixed then? I'm no longer suffering the issues, there have
been many positive results at the end of this bug, and it refers to an (at
least) two version old copy of portage, so I'm going to close the bug. If
anyone feels it should stay open, or is still suffering problems, please post
here and I'll reopen it again. Thanks...
(In reply to comment #14)
> (In reply to comment #12)
> > The problem is triggered by -finline-functions and ssp: I crashed with
> > CFLAGS="-O1 -finline-functions -ggdb" and a hardened gcc-3.4.5. (and -O3
> > implies -finline-functions). I just committed pycrypto-2.0.1-r1 which adds
> > -fno-inline-functions to CFLAGS when ssp is used. Can people please test this
> > one? I will probably add it to the stable pycrypto in a bit if it at least
> > works around the problem.
>
> Works for me :)
>
Worked for me. Did:
CFLAGS="-fno-inline-functions" FEATURES="-strict" emerge -v =pycrypto-2.0.1-r5
compiled fine. Then did:
CFLAGS="-fno-inline-functions" emerge -v =pycrypto-2.0.1-r5
compiled fine as well. and no more stack smashing attacks when emerging
packages. Can we hard code this CFLAG into the ebuild so this works for
everybody?
