[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1065542: marked as done (libxxf86vm1: Please rebuild to avoid overly huge ELF segment alignment)

Your message dated Thu, 06 Nov 2025 11:48:45 +0000
with message-id <E1vGyTt-0067Wz-20@fasolo.debian.org>
and subject line Bug#1065542: fixed in libxxf86vm 1:1.1.4-2
has caused the Debian Bug report #1065542,
regarding libxxf86vm1: Please rebuild to avoid overly huge ELF segment alignment
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1065542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libxxf86vm1
Version: 1:1.1.4-1+b2
Severity: normal
X-Debbugs-Cc: minipli@grsecurity.net

Dear Maintainer,

After investigating ELF binaries and libraries on Debian systems, I
noticed that libxxf86vm1 uses an overly huge alignemnt for its segments.
This will lead to an unnecessary ASLR degradation for (transitive) users
of this library like cinnamon or gnome-software.

Below is the relevant output:

minipli@bell:~/src/paxtest (master)$ ./contrib/check_align.sh /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0
/usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0 (max align=0x200000)
minipli@bell:~/src/paxtest (master)$ readelf -Wl /usr/lib/x86_64-linux-gnu/libXxf86vm.so.1.0.0 | grep -B2 LOAD
Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x00405c 0x00405c R E 0x200000
  LOAD           0x004dd0 0x0000000000204dd0 0x0000000000204dd0 0x000370 0x000398 RW  0x200000

The cause for the excessive segment alignment of 2MB instead of the
usual 4kB is binutils' ld which did, from versions v2.11 up to v2.30 (in
Debian, at least), use a huge default, even if no segment required such
a huge alignment. That was fixed in Debian with the release of buster,
which makes use of binutils v2.31+.

The full technical background behind overly huge alignment was reported
here: https://grsecurity.net/toolchain_necromancy_past_mistakes_haunting_aslr

Rebuilding the package will implicitly make use of a recent version of
ld and thereby fix the issue which is what I'm herby requesting.

Thanks,
Mathias

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/20 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libxxf86vm1 depends on:
ii  libc6     2.36-9+deb12u4
ii  libx11-6  2:1.8.4-2+deb12u2
ii  libxext6  2:1.3.4-1+b1

libxxf86vm1 recommends no packages.

libxxf86vm1 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libxxf86vm
Source-Version: 1:1.1.4-2
Done: Andreas Tille <tille@debian.org>

We believe that the bug you reported is fixed in the latest version of
libxxf86vm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1065542@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated libxxf86vm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 06 Nov 2025 07:37:53 +0100
Source: libxxf86vm
Architecture: source
Version: 1:1.1.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1065542 1102885
Changes:
 libxxf86vm (1:1.1.4-2) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Debian Janitor ]
   * Use secure URI in debian/watch.
   * Bump debhelper from deprecated 9 to 13.
     + debian/rules: Drop --fail-missing argument, now the default.
   * Set debhelper-compat version in Build-Depends.
   * Change priority extra to priority optional.
   * Drop unnecessary dependency on dh-autoreconf.
   * Use secure URI in Vcs control header Vcs-Git.
   * Update Vcs-* headers from URL redirect.
   * Use canonical URL in Vcs-Git.
   * Remove field Priority on binary package libxxf86vm1-dbg that duplicates
     source.
   * Remove constraints unnecessary since buster:
     + Build-Depends: Drop versioned constraint on libx11-6, libx11-dev,
       libxext-dev, x11proto-xf86vidmode-dev and xutils-dev.
     + libxxf86vm-dev: Drop versioned constraint on x11proto-xf86vidmode-dev in
       Depends.
     + libxxf86vm-dev: Drop versioned constraint on x11proto-xf86vidmode-dev in
       Replaces.
 .
   [ Timo Aaltonen ]
   * control: Migrate to x11proto-dev.
 .
   [ Bjarni Ingi Gislason ]
   * XF86VM.3: Some editorial changes for this man page (Closes: #1102885)
 .
   [ Andreas Tille ]
   * control: Bump policy to 4.7.2.
   * Add Homepage
   * d/copyright: DEP5
   * d/watch: version=4
   * Rebuild to avoid overly huge ELF segment alignment
     Closes: #1065542
   * Source format: 3.0 (quilt)
   * Remove explicit -dbg package
   * Do not explicitly Build-Depend quilt
   * Build-Depends: pkg-config => pkgconf
   * Remove quilt usage from debian/README.source
Checksums-Sha1:
 f49ec463aaff7ab5030dc75df4a30cbbfa7aff54 2033 libxxf86vm_1.1.4-2.dsc
 acc97f8f84a35be73ee98f586f7ed57d4ce6ab02 10188 libxxf86vm_1.1.4-2.debian.tar.xz
 24012ff783be1288dc7212c7770e8554c54f2fdc 6554 libxxf86vm_1.1.4-2_amd64.buildinfo
Checksums-Sha256:
 9a5cd7d902e445ae2e5ff9e5491a188bf2fff53420ee6e6a49546f697eac9f11 2033 libxxf86vm_1.1.4-2.dsc
 120e8168c269d030d2c02fcaad1ae3b80227df2474289dab6cf2c1c22a1c1983 10188 libxxf86vm_1.1.4-2.debian.tar.xz
 9014d06380c0586f87984fba7821ceb295e10bbaaf7067db5e70997aadd653c7 6554 libxxf86vm_1.1.4-2_amd64.buildinfo
Files:
 15d2aac04b7b8e5c297f02678d387cab 2033 x11 optional libxxf86vm_1.1.4-2.dsc
 662a92f3329d6f6e7a2defcc4a8fd5e5 10188 x11 optional libxxf86vm_1.1.4-2.debian.tar.xz
 c5c3ddd45b7eabc5b96677e95eb2ae14 6554 x11 optional libxxf86vm_1.1.4-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmkMh/sRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtG9LQ//WW1mhdfv4fX4mlKAg1sIINbAmPPc78UU
67YzrDpzk+NjmHVqQHmLQ/kMDtcjFIUSjL+cozUgQBkzvJ4zjhPve4j1dqyLwacd
YA7IEM0/74vf8AaP+J8Da2pqYPcE5sA3cUsZ91nWVXrh9R0FjTktGVJGy2IOqF+/
uhYzNi7Yi8A+B4RaE0UACcp5NK5HqkwOJ614Oa8pWa79sjLbLgReH327aWf3Ks07
rjaWxF3oItDFgzFfA20Fx0HQh94cZtP6I1v6541COL9K4c4xZwxb1cgfIpzzWvGl
zBM9DIP5svDrUPEaj+3rUG/hcAcPBo9WdtnY3RI4vcLy9U/udPPVXGgcwd7rg2dn
2TbvHkB5v1AbZSFpJj4sFPx/mihrOTH7lzQ33mKLfm7fecwUI9vexFQwtJ7MUvD7
rPqzG1/Fl0VHS+xXRSS4b6v1Xr9018aIVX36UE3h8ZnwqOOzCpx0GHxNePykGcrS
kAIGipHUiYUUhCfDALb0N6g5ndOB/09LgWzhvRyfSAK+elHcdpOxLza8ioo3vnEz
5J4jMDsaWDDcBCX/jGPGeW+4VxPVqshhdorRhBTqXWUFuY00egp2Lnd4fTXLroQj
lWRBheVZCyj3ZoYMhrYQfPathwMz8E8X/XiD45FH1RaKhSwPfeVAz+FtV9TlAies
7LXIEgQGRZ8=
=XCQk
-----END PGP SIGNATURE-----

Attachment: pgpn1KZuxamPb.pgp
Description: PGP signature


--- End Message ---
Reply to: