ahasenack | hi #security, I'm doing an SRU for nfs-utils, and was wondering if I should include this fix in it: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095 | 14:39 |
---|---|---|
ubottu | Launchpad bug 1980095 in nfs-utils (Ubuntu) "libnfsidmap built without hardening flags" [Undecided, Fix Released] | 14:39 |
ahasenack | I *think* you would say yes, and the only reason I can think of to not include it is some fear of regression that would be difficult to catch in testing without a wider audience using the package | 14:39 |
ahasenack | but in a sense, it regressed in jammy, by being built without the hardening flags | 14:40 |
mdeslaur | hrm, that's a good question | 14:44 |
mdeslaur | sbeattie: ^ | 14:44 |
ahasenack | I do have other srus planned for nfs-utils later on, we could include it in one of those, to give the current package in kinetic more "cooking time" (it has the hardening fix) | 14:49 |
ahasenack | point is, I think, it on its own probably does not warrant an SRU | 14:49 |
mdeslaur | I'm not sure what the impact is of turning those on for libraries, which is why I asked sbeattie | 15:00 |
sbeattie | ahasenack: yes, please include a fix for that, if you can. I verified that not just the hardening config was there in the libnfsidmap rules but that the actual shared objects had them applied. | 16:40 |
sbeattie | and thanks! | 16:40 |
ahasenack | ok, will do | 16:42 |
ahasenack | sbeattie: do you happen do have a quick way to check at runtime, analyzing the binary file, if hardening flags were applied? | 17:15 |
ahasenack | some objdump-foo | 17:15 |
ahasenack | maybe what lintian does, but that is perl code, not my cup of tea ;) | 17:16 |
ahasenack | maybe https://git.launchpad.net/qa-regression-testing/tree/scripts/test-built-binaries.py ? | 17:22 |
ahasenack | that's a large script | 17:23 |
sarnold | ahasenack: devscripts: /usr/bin/hardening-check | 17:36 |
sarnold | oh hah that big pile of python calls that :) | 17:36 |
ahasenack | TIL hardening-check | 17:36 |
sarnold | I'd forgotten we had stackclash stuff in there | 17:37 |
ahasenack | I look at those qa scripts, and at the top see ubuntu release names like hardy, or lucid :) | 17:37 |
sarnold | reliable releases, releases that you know are running something *important* somewhere.. | 17:42 |
sbeattie | ahasenack: yeah, I have a low level todo to remove some of the logic around releases that have been out of support for 7+ years now... | 17:53 |
ahasenack | so I ran hardening-check on the libs from libnfsidmap1, and looks like FORTIFY_SOURCE was enabled already, even without any hardening flags in d/rules | 17:53 |
ahasenack | but "immediate binding" is definitely flipped to on in the new builds | 17:53 |
ahasenack | and compared to focal, we got some new ones | 17:55 |
ahasenack | "control flow integrity: yes" | 17:55 |
ahasenack | ah, the "no fortify source" lintian warning I got when I filed the bug was from another source package, src:libnfsidmap-regex | 17:57 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!