The asm source for an object, unless it explicitly contains a .note.GNU-stack section, causes whatever it is linked into to be marked as requiring executable stack (the linker takes the approach that if something is not marked either way, the most permissive case is assumed). There are three nasm files in the x86 build of libFLAC, which contain no such marking. Patch to follow adds the following lines to these files: %ifdef OBJ_FORMAT_elf section .note.GNU-stack noalloc %endif The ifdef works because libtool defines OBJ_FORMAT_elf when building an elf object; doesn't matter so much for us as we're always elf on x86 but it might make it more palatable upstream. I would guess there's a similar problem in the ppc code, in src/libFLAC/ppc/as/lpc_asm.s and src/libFLAC/ppc/gas/lpc_asm.s - for these I think appending the following is enough: #ifdef __ELF__ .section .note.GNU-stack,"",@progbits #endif but I figure it's best if a ppc person tries this out.
Created attachment 74377 [details, diff] Add .note.GNU-stack marking to x86 nasm files This patch applies ok for the versions currently in portage (1.1.1, 1.1.2-r3 and 1.1.2-r4). Should be uncontroversial; it doesn't change the actual code, just the ELF header markings on the library.
I'm going to roll out a new patchset for flac, but I'd like to fix the ppc issue as well in the same patch, so I can submit it directly to upstream. the file in ppc/as subdirectory is used with MacOSX as that's not GNU, so it shouldn't be touched (it's neither ELF); the gas/ one has the problem of being named .s, so it shouldn't be preprocessed, I think, that would break using #ifdef. By the way, flac does not turn up problems with FEATURES=stricter on my iBook, but now that I think of it, I might not have pax-utils installed at all, will look into that.
Nevermind, i was missing pax-utils, will see what I can do..
Non-issue on PPC, the .s files are just ignored right now. The failure with stricter is for everything by design, so the only patch needed is the one for x86, going to prepare patchset and commit.
flac-patches-3 committed.
*** Bug 115099 has been marked as a duplicate of this bug. ***
*** Bug 116367 has been marked as a duplicate of this bug. ***
*** Bug 126330 has been marked as a duplicate of this bug. ***
The bug is said to be fixed, however, it seems to be still an issue in version 1.1.2-r3; I just got the following error message: QA Notice: the following files contain executable stacks Files with executable stacks will not work properly (or at all!) on some architectures/operating systems. A bug should be filed at http://bugs.gentoo.org/ to make sure the file is fixed. For more information, see http://hardened.gentoo.org/gnu-stack.xml Please include this file in your report: /var/tmp/portage/flac-1.1.2-r3/temp/scanelf-execstack.log RWX --- --- usr/lib/libFLAC.so.7.0.0 ####### emerge --info Portage 2.1.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.5-r2, 2.6.17-gentoo-r4 i686) ================================================================= System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 1700+ Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 09:50:01 +0000 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r2, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.8.1-r1, 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe -march=athlon-xp" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2 -pipe -march=athlon-xp" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer sandbox sfperms strict stricter test" GENTOO_MIRRORS="http://ftp.caliu.info/pub/gentoo/ http://mirror.ovh.net/gentoo-distfiles/" LANG="es_ES.UTF-8@euro" LC_ALL="es_ES.UTF-8@euro" LINGUAS="es en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow X a52 acpi alsa apache2 asf audiofile avi bash-completion bidi bitmap-fonts bzip2 bzlib canna cdr cjk cli cracklib crypt cups dbus dga directfb divx4linux dlloader doc dri dvb dvd dvdr dvdread eds elibc_glibc emboss encode esd evo exif fbcon fftw firefox flac foomaticdb freewnn ftp gb gcj gd gdbm gif glut gmp gnome gpm gstreamer gtk gtk2 gtkhtml hal iconv imlib input_devices_evdev input_devices_keyboard input_devices_mouse iodbc isdnlog java jikes jpeg kde kernel_linux libg++ libwww linguas_en linguas_es mad memlimit mikmod mime mmx motif mozilla mp3 mpeg msn nas nls nptl nptlonly nsplugin nvidia odbc offensive ogg oggvorbis openal opengl pam pcre pdflib perl png pnp posix ppds pppd qt3 qt4 quicktime readline reflection sdl session sharedmem simplexml spell spl ssl svg svga sysvipc szip tcltk tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU video_cards_nvidia videos vorbis win32codecs wmf x86 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 101539 [details] Executable stack log file for flac-1.1.2-r3, as requested
Stable is 1.1.2-r3, which has PATCHLEVEL=1 -- and flac-patches-1.tar.bz2 *DOESN'T* contain this patch 1.1.2-r8 and 1.1.3 (both marked ~arch for all arches) use PATCHLEVEL=8 and 10 respectively -- and so *DO* have the patch. So this is fixed, but the fixed version isn't marked stable yet.
