When emerging dev-libs/ffcall-1.10 (as a dependency of clisp) I noticed this message: * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * !WX --- --- usr/lib64/libavcall.a:avcall.o * !WX --- --- usr/lib64/libvacall.a:vacall.o * !WX --- --- usr/lib64/libcallback.a:vacall.o Since it told me to file a bug I have here done so. Reproducible: Always Steps to Reproduce: 1. emerge =dev-libs/ffcall-1.10 Actual Results: Displays the above mentioned message before installing. Expected Results: It shouldn't display that message. # emerge --info Portage 2.1.6.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.27-gentoo-r7 x86_64) ================================================================= System uname: Linux-2.6.27-gentoo-r7-x86_64-AMD_Sempron-tm-_Processor_3300+-with-glibc2.2.5 Timestamp of tree: Tue, 06 Jan 2009 10:30:01 +0000 ccache version 2.4 [disabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.6-r1 dev-lang/python: 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -pipe -O2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=k8 -pipe -O2" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.ynet.sk/pub http://ftp.ds.karen.hj.se/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.ds.karen.hj.se/gentoo/ http://mirror.muntinternet.net/pub/gentoo/ http://ftp.ing.umu.se/linux/gentoo/ http://mirror.gentoo.no/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.linux.ee/pub/gentoo/distfiles/" LINGUAS="en en_GB sv sv_SE" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/crossdev-overlay /usr/local/portage/cpan-overlay /usr/local/portage/nethack-overlay /usr/local/portage/generic-overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X acl acpi alsa amd64 audiofile bash-completion berkdb bzip2 cairo caps ccache cdb cddb cdr cli cracklib crypt cups curl dbus dri dvd dvdr dvdread emacs emboss encode evo exif expat fam fastcgi fbcon firefox flac fontconfig foomaticdb fortran gd gdbm geoip gif glep gmp gnutls gpm gstreamer gtk iconv idea idn ieee1394 imlib iproute2 ipv6 isdnlog javascript joystick jpeg jpeg2k kde kdeenablefinal kdehiddenvisibility kqemu lcms lm_sensors logrotate loop-aes lyx mad mbox midi mikmod mmap mmx mmxext mng mono mozdevelop mp3 mpeg mudflap multilib mysqli ncurses nls nodrm nptl nptlonly nsplugin objc ogg openexr opengl pam pcre pdf perl pg-intdatetime php physfs pic png ppds pppd python qt3 qt3support qt4 quicktime readline reflection rle sasl scanner sdl session sndfile spell spl sqlite sse sse2 ssl startup-notification svg sysfs tcl tcpd tiff tk truetype unicode usb utempter vorbis webdav-serf xcomposite xorg xpm xulrunner xv zlib zsh-completion" ALSA_CARDS="emu10k1 loopback seq-dummy dummy" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse joystick evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB sv sv_SE" USERLAND="GNU" VIDEO_CARDS="ati radeon vesa fbdev r128 nv nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ffcall-1.10-r2 as well, and I have some additional output (note last two lines) * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@ * !WX --- --- usr/lib64/libavcall.a:avcall-x86_64.o * !WX --- --- usr/lib64/libvacall.a:vacall.o * !WX --- --- usr/lib64/libcallback.a:vacall-x86_64.o * RWX --- --- usr/lib64/libavcall.so.0.0.0 * RWX --- --- usr/lib64/libcallback.so.0.0.0
There are execstacks on x86 too.
I think this makes the tests fail on hardened, I get the following error: /var/tmp/portage/dev-libs/ffcall-1.10-r3/work/clisp-2.41/ffcall/avcall/.libs/lt-minitests: error while loading shared libraries: libavcall.so.0: cannot enable executable stack as shared object requires: Permission denied This possibly means that the entire package is broken on hardened (as mentioned in the qa warning).
*** Bug 459710 has been marked as a duplicate of this bug. ***
Created attachment 358550 [details, diff] patch to explicitly mark stacks Hi, I followed the hardened guide on stack markings and applied the attached patch, which successfully removed the executable stacks. Yeah!
I've went ahead with slightly less invasive patch: > *ffcall-1.10-r5 (14 Dec 2014) > > 14 Dec 2014; Sergei Trofimovich <slyfox@gentoo.org> +ffcall-1.10-r5.ebuild: > Respect CFLAGS/LDFLAGS (bug #334581), mark noexecstack (bug #253963). Thanks > to w0rm for the report. Thanks guys!