[ATrpms-devel] libgcrypt selinux execstack
Tim Fenn
fenn at stanford.edu
Fri Jun 30 00:54:27 CEST 2006
On Fri, Jun 30, 2006 at 12:35:21AM +0200, Axel Thimm wrote:
> On Thu, Jun 29, 2006 at 11:54:49AM -0700, Tim Fenn wrote:
> > > In that case can we be certain that no executable stack is required
> > > w/o reviewing the source (and in doing so the assembly GNU-stack
> > > markers could be fixed, so no execstack -c is required at the end)?
> > >
> >
> > In this case we'd have to audit the assembly code. o_O
> >
> > > Ubuntu seems to think similar and simply disables assembly:
> > >
> > > https://launchpad.net/distros/ubuntu/+source/libgcrypt11/+bug/49192
> > >
> >
> > Well, further down the page is a patch that seems more reasonable, by
> > telling the assembler to not set the executable stack bit. You
> > basically go through all the .S files and append ".section
> > .note.GNU-stack,"", at progbits" to each. Alternatively, just add
> > "-Wa,--execstack" to the build options.
>
> Yes, but that's after one is certain that the asm code doesn't really
> need it (which it most probably doesn't, but one cannot blindly assume
> it).
>
True.
> Hm, I guess maybe this needs to be brought to the gpg people's
> notice. After all they wrote it. :)
It sounds like they have been contacted about it (see the Ubuntu
thread), but only as of a week ago or so. Perhaps some added pressure
couldn't hurt. ;)
Oh, I also checked the FC5 libgcrypt SRPM - it disables assembly:
(from libgcrypt.spec):
%build
%configure --disable-asm
Which may not be a Bad Thing, at least until the execstack issue is
addressed.
-Tim
More information about the atrpms-devel
mailing list