ASAN builds and exiv2

To: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: ASAN builds and exiv2
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 23 Nov 2017 14:51:56 -0500
Message-id: <[🔎] 87shd4u61v.fsf@curie.anarc.at>
In-reply-to: <[🔎] 20171114135832.pq6rlbfdb3ggguap@connexer.com>
References: <[🔎] 20171114135832.pq6rlbfdb3ggguap@connexer.com>

On 2017-11-14 08:58:33, Roberto C. Sánchez wrote:
> All,
>
> Some of the last few updates I have done have required building the
> package with ASAN in order to reproduce the bug and/or confirm the fix.
>
> After some searches did not come up with anything that captured the
> issues I have encountered, I have written up some notes [0] on building
> packages with ASAN while doing Wheezy LTS work.  Those notes are now
> also linked from our main documentation [1].
>
> If anyone out there has used ASAN in order to reproduce vulnerabilities
> and/or verify their fixes, please review the notes.  Updates and
> improvements are most welcome.

So I have tried to use those notes to reproduce the pending issues on
exiv2 (CVE-2017-1000126, CVE-2017-1000127, CVE-2017-1000128). The first
problem I had was that DEB_*_APPEND environment didn't propagate through
to the package. Maybe it's sbuild sanitizing the environment or
something.

So I ended up adding it to the debian/rules file, but that wasn't enough
either - I had to add "export" to every line so it shows up in the
environment. This could be because of the way exiv2 is built there:

override_dh_auto_configure:
        dh_auto_configure -- --disable-rpath  $(shell dpkg-buildflags --export=configure)

I suspect that dpkg-buildflags override may be failing to pick up the
Make variables... So i changed the documentation to export explicitly:
it can't hurt anyways:

export DEB_CFLAGS_APPEND=-fsanitize=address
export DEB_CPPFLAGS_APPEND=-fsanitize=address
export DEB_CXXFLAGS_APPEND=-fsanitize=address
export DEB_LDFLAGS_APPEND=-static-libasan

The next problem I had was that linking the package failed with errors
like:

undefined reference to `__asan_register_globals'

So I tried adding -lasan to the LDFLAGS, but then *configure* segfaults:

configure:2919: g++ -o conftest -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fsanitize=address -D_FORTIFY_SOURCE=2 
ddress -Wl,-z,relro -static-libasan -lasan conftest.cpp  >&5
configure:2930: ./conftest
./configure: line 2932: 18325 Segmentation fault      ./conftest$ac_cv_exeext

Fun times. So I'm stuck now - I reported the CVE issues upstream so
they're at least aware of the issue:

https://github.com/Exiv2/exiv2/issues/174

... but I am not sure what to do with the package in Wheezy. I'm tempted
to mark this as no-dsa because there's no upstream fix and we can't
reproduce, but I wonder if we should just mark it as not-affected
instead.

Opinions?

A.

-- 
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
                        - Bansky

Reply to:

Follow-Ups:
- Re: ASAN builds and exiv2
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: ASAN builds and exiv2
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: ASAN builds and exiv2
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- Notes on building with ASAN
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Accepted openjdk-7 7u151-2.6.11-2~deb7u2 (source amd64 all) into oldoldstable
Next by Date: Re: ASAN builds and exiv2
Previous by thread: Re: Notes on building with ASAN
Next by thread: Re: ASAN builds and exiv2
Index(es):
- Date
- Thread