4000+ bugs in Fedora - checksec failures

Posted by Alexander Todorov on Wed 16 September 2015

In the last week I've been trying to figure out how many packages conform to the new Harden All Packages policy in Fedora!

From 46884 RPMs, 17385 are 'x86_64' meaning they may contain ELF objects. From them 4489 are reported as failed checksec.

What you should see as the output from checksec is

Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH
Full RELRO      Canary found      NX enabled    DSO             No RPATH   No RUNPATH

The first line is for binaries, the second one for libraries b/c DSOs on x86_64 are always position-independent. Some RPATHs are acceptable, e.g. %{_libdir}/foo/ and I've tried to exclude them unless other offenses are found. The script which does this is checksec-collect.

Most often I'm seeing Partial RELRO, No canary found and No PIE errors. Since all packages potentially process untrusted input, it makes sense for all of them to be hardened and enhance the security of Fedora. That's why all of these errors should be considered valid bugs.

Attn package maintainers

Please see if your package is in the list and try to fix it or let me know why it should be excluded, for example it's a boot loader and doesn't function properly with hardening enabled. The full list is available at GitHub.

For more information about the different protection mechanisms see the following links:

UPDATE 2015-09-17

I've posted my findings on fedora-devel and the comments are more than interesting even revealing an old bug in libtool.

tags: QA, fedora.planet

Comments !