Bug 377559

Summary:	dev-lang/ekopath: upstream needs to fix atomic-cxx.S to remove RWX GNU STACK
Product:	Gentoo Linux	Reporter:	Anthony Basile <blueness>
Component:	Current packages	Assignee:	Gentoo Science Related Packages <sci>
Status:	RESOLVED TEST-REQUEST
Severity:	normal	CC:	hardened
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Anthony Basile gentoo-dev

2011-08-03 14:13:53 UTC

I just added some code to ekopath-4.0.10_pre20110728.ebuild so ekopath works with a pax enabled kernel.  The fixes are applied unconditionally since they are safe on pax or vanilla systems.  I did not rev bump because there's no need to force those who already have ekopath to re-emerge.  I did not address ekopath-4.0.10_pre20110717-r1.ebuild, but the same issues might be there.

Two fixes:

a) Remove mprotect form the installer.  Since the installer doesn't persist on the system, this really doesn't represent any serious degradation of security.

b) I removed X bit from GNU STACK phdr leaving it only RW on libstl.so.  This addresses one QA issue, but the other remaining one is with the static lib, libstd.a, which still has an RWX GNU STACK due to atomic-cxx.S.  This needs to be fixed upstream since we don't have the source.  Its a QA problem on any gentoo system.

The fix to the assembly is probably as simple as Section 6 in http://www.gentoo.org/proj/en/hardened/gnu-stack.xml, but not having the asm in front of us, its not clear.



Reproducible: Always

Comment 1 Sébastien Fabbro (RETIRED) gentoo-dev

2014-05-22 17:38:42 UTC

current version 5.0.1_pre20131115 does not seem to be affected. re-open if so.
thanks.