ASAN builds and exiv2
On 2017-11-14 08:58:33, Roberto C. Sánchez wrote:
> All,
>
> Some of the last few updates I have done have required building the
> package with ASAN in order to reproduce the bug and/or confirm the fix.
>
> After some searches did not come up with anything that captured the
> issues I have encountered, I have written up some notes [0] on building
> packages with ASAN while doing Wheezy LTS work. Those notes are now
> also linked from our main documentation [1].
>
> If anyone out there has used ASAN in order to reproduce vulnerabilities
> and/or verify their fixes, please review the notes. Updates and
> improvements are most welcome.
So I have tried to use those notes to reproduce the pending issues on
exiv2 (CVE-2017-1000126, CVE-2017-1000127, CVE-2017-1000128). The first
problem I had was that DEB_*_APPEND environment didn't propagate through
to the package. Maybe it's sbuild sanitizing the environment or
something.
So I ended up adding it to the debian/rules file, but that wasn't enough
either - I had to add "export" to every line so it shows up in the
environment. This could be because of the way exiv2 is built there:
override_dh_auto_configure:
dh_auto_configure -- --disable-rpath $(shell dpkg-buildflags --export=configure)
I suspect that dpkg-buildflags override may be failing to pick up the
Make variables... So i changed the documentation to export explicitly:
it can't hurt anyways:
export DEB_CFLAGS_APPEND=-fsanitize=address
export DEB_CPPFLAGS_APPEND=-fsanitize=address
export DEB_CXXFLAGS_APPEND=-fsanitize=address
export DEB_LDFLAGS_APPEND=-static-libasan
The next problem I had was that linking the package failed with errors
like:
undefined reference to `__asan_register_globals'
So I tried adding -lasan to the LDFLAGS, but then *configure* segfaults:
configure:2919: g++ -o conftest -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fsanitize=address -D_FORTIFY_SOURCE=2
ddress -Wl,-z,relro -static-libasan -lasan conftest.cpp >&5
configure:2930: ./conftest
./configure: line 2932: 18325 Segmentation fault ./conftest$ac_cv_exeext
Fun times. So I'm stuck now - I reported the CVE issues upstream so
they're at least aware of the issue:
https://github.com/Exiv2/exiv2/issues/174
... but I am not sure what to do with the package in Wheezy. I'm tempted
to mark this as no-dsa because there's no upstream fix and we can't
reproduce, but I wonder if we should just mark it as not-affected
instead.
Opinions?
A.
--
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
- Bansky
Reply to: