Summary: | Stable hardened sys-devel/gcc may have been built with build-id | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Francisco Blas Izquierdo Riera <klondike> |
Component: | Hardened | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | axs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | emerge --info thunderbird firefox |
Description
Francisco Blas Izquierdo Riera (RETIRED)
2014-12-19 22:27:25 UTC
Created attachment 392062 [details]
emerge --info thunderbird firefox
# emerge -vp thunderbird firefox
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] mail-client/thunderbird-31.3.0 USE="crypt custom-optimization dbus gstreamer jit ldap lightning mozdom system-cairo system-icu system-jpeg system-libvpx system-sqlite -bindist -custom-cflags -debug -minimal -pulseaudio (-selinux) -startup-notification" LINGUAS="es_ES -ar -ast -be -bg -bn_BD -br -ca -cs -da -de -el -en_GB -es_AR -et -eu -fi -fr -fy_NL -ga_IE -gd -gl -he -hr -hu -hy_AM -id -is -it -ja -ko -lt -nb_NO -nl -nn_NO -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -sq -sr -sv_SE -ta_LK -tr -uk -vi -zh_CN -zh_TW" 0 KiB
[ebuild U ] www-client/firefox-31.3.0 [24.8.0] USE="custom-optimization dbus gstreamer hardened%* jit system-cairo system-icu system-jpeg system-libvpx%* system-sqlite wifi -bindist -custom-cflags -debug -minimal (-pgo) -pulseaudio (-selinux) -startup-notification {-test} (-alsa%*) (-libnotify%*)" LINGUAS="es_ES -af -ar -as -ast -be -bg -bn_BD -bn_IN -br -bs -ca -cs -csb -cy -da -de -el -en_GB -en_ZA -eo -es_AR -es_CL -es_MX -et -eu -fa -fi -fr -fy_NL -ga_IE -gd -gl -gu_IN -he -hi_IN -hr -hu -hy_AM -id -is -it -ja -kk -km -kn -ko -ku -lt -lv -mai -mk -ml -mr -nb_NO -nl -nn_NO -or -pa_IN -pl -pt_BR -pt_PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv_SE -ta -te -th -tr -uk -vi -xh% -zh_CN -zh_TW -zu (-ak%) (-lg%) (-nso%) (-ta_LK%)" 0 KiB
Total: 2 packages (1 upgrade, 1 reinstall), Size of downloads: 0 KiB
This only occurs if either -Wl,--build-id is specified in a user's LDFLAGS when FEATURES="splitdebug" is enabled, or if a user's toolchain was built during that 2ish month period where --enable-build-ids was set by default on all gcc package merges. The former case is considered unsupported (at least that seems to be the consensus among gentoo dev's), while the latter case's solution is to re-emerge the currently-installed gcc's. I use FEATURES="splitdebug" myself on these packages, so I don't want to restrict it. And we've already applied patches to ensure that the packages themselves are not adding build-id generation. I'm not sure what else we can do here, other than perhaps eerror early upon checking to see if the toolchain generates build-ids when splitdebug is enabled in features?? If that's even possible within say, pkg_pretend or pkg_setup? (In reply to Ian Stakenvicius from comment #2) > This only occurs if either -Wl,--build-id is specified in a user's LDFLAGS > when FEATURES="splitdebug" is enabled, or if a user's toolchain was built > during that 2ish month period where --enable-build-ids was set by default on > all gcc package merges. > > The former case is considered unsupported (at least that seems to be the > consensus among gentoo dev's), while the latter case's solution is to > re-emerge the currently-installed gcc's. > > I use FEATURES="splitdebug" myself on these packages, so I don't want to > restrict it. And we've already applied patches to ensure that the packages > themselves are not adding build-id generation. I'm not sure what else we > can do here, other than perhaps eerror early upon checking to see if the > toolchain generates build-ids when splitdebug is enabled in features?? If > that's even possible within say, pkg_pretend or pkg_setup? I'm afraid that period occured along with the hardened unmasking of 4.8 (ugh) Okay Ian I'll reemerge gcc then both thunderbird and firefox and come back :) Ian, reemerging gcc then both thunderbird and firefox seemed to fix this. Given the timeline this may be affecting more stable gcc users and we may need to tell them as this may block other security updates in the future. Here is how to test if build-id was enabled: (You may add other paths) # objdump -h -j .note.gnu.build-id /usr/bin/* /bin/* /sbin/* /usr/sbin/* 2> /dev/null | grep build-id If build-id was enabled objdump the output will show lines saying something like: 2 .note.gnu.build-id 00000024 00000000000002ac 00000000000002ac 000002ac 2**2 A simplest way is just compiling a small file (for example a hello world) and then checking it with the above command. In this system I did the emerge on the 22 of October with stabilization happening on the 24th. So I wouldn't be surprised if the time build-id was enabled and the time sys-devel/gcc-4.8.3 was stabilized overlapped. I'll be marking this as a duplicate. *** This bug has been marked as a duplicate of bug 526144 *** (In reply to Ian Stakenvicius from comment #2) > if a user's toolchain was built > during that 2ish month period where --enable-build-ids was set by default on > all gcc package merges. 9.619 days, not 2 months. http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain.eclass?r1=1.635&r2=1.636 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain.eclass?r1=1.643&r2=1.644 (In reply to Arfrever Frehtes Taifersar Arahesis from comment #5) > (In reply to Ian Stakenvicius from comment #2) > > if a user's toolchain was built > > during that 2ish month period where --enable-build-ids was set by default on > > all gcc package merges. > > 9.619 days, not 2 months. > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain. > eclass?r1=1.635&r2=1.636 > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/toolchain. > eclass?r1=1.643&r2=1.644 It still overlaps quite nicely with the stabilization period ;) https://bugs.gentoo.org/show_bug.cgi?id=516152 |