[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rebuilding packages to increase Stretch's PIE coverage



Hi,

2017-02-15 21:37 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> 2017-02-15 20:02 GMT+01:00 Niels Thykier <niels@thykier.net>:
>> Bálint Réczey:
>>> Dear Release Team,
>>>
>>> GCC uses PIE by default in unstable and testing but most packages
>>> which haven't been rebuilt since the transition still ship unprotected
>>> binaries [1].
>>>
>>> If the Team agrees I suggest rebuilding the packages which would
>>> benefit from a rebuild. In case this gets a green light I would
>>> volunteer to perform a test rebuild for each package to see if the
>>> lintian warning goes away.
>>>
>>> Ideally #848129 would be fixed before the rebuild but it seems unlikely
>>> that it would move forward without Release Team weighing in. I support
>>> Adrian's suggestion about removing all PIE support from dpkg.
>>>
>>> Cheers,
>>> Balint
>>>
>>> [1] https://lintian.debian.org/tags/hardening-no-pie.html
>>>
>>> PS: Thanks to Hanno Böck for asking about the current situation and
>>> triggering this email. :-)
>>>
>>
>> Hi Bálint,
>>
>> Thanks for the offer.
>>
>> Personally, I am inclined to accept as it means that we migrate to PIE
>> for these binaries now rather than post-release (e.g. as a part of a
>> security update or stable update).
>>
>>  * Do you have a number of affected source packages handy?
> A very quick estimate would be ~2000-2500 assuming each affected source generate
> ~2 affected binary packages:
> $ w3m -dump https://lintian.debian.org/tags/hardening-no-pie.html |
> grep binary | wc -l
> 4715

The actual number may be a bit higher:

select distinct source
from (select source, unnest(regexp_split_to_array(bin, ', ')) as bin_as_rows
        from sources where release = 'sid') as sources_unnested, lintian
where tag = 'hardening-no-pie' and package_arch = 'amd64' and
lintian.package = sources_unnested.bin_as_rows
order by source;
...
zp
zpaq
zpspell
zssh
zsync
zypper
zziplib
zzuf
(3659rows)

I have started rebuilding them.

Cheers,
Balint

>
>>
>>  * Do you have a plan for finding packages in testing that has not
>>    been rebuilt?  (lintian.d.o does not include testing)
>
> I think it is doable with some UDD magic which I have to figure out.
> Help is welcome here. :-)
>
> My plan was providing a list for the affected packages in unstable and
> asking for a
> rebuild of those.
> If they have different version in testing and they can't migrate then
> they are probably too hard to cover in one shot and should be checked
> individually.
>
> Cheers,
> Balint
>
>>
>> Thanks,
>> ~Niels
>>
>>


Reply to: