Preload should be compiled with security flags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
elementary OS |
New
|
Undecided
|
Unassigned | ||
preload (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
ElementaryOS comes with the 'preload' program installed by default. It's worth noting that this program has not had a lot of maintenance over the years, and I doubt it has had a significant eye on it from a *public* security audid.
The program is not compiled, by default, with any security flags. Someone can confirm using checksec.sh but it is missing various flags, most notably PIE.
The program compiles *perfectly fine* with
-g -O2 -fstack-
These flags help reduce the impact of code execution, which can lead to privilege escalation from a limited user account. Checksec.sh after flags:
preload PID Full RELRO Canary found PaX enabled PIE enabled Yes
Please consider compiling preload with the above flags.
Also note that multiple other programs should be compiled with these flags. Specifically, the vala apps don't seem to be getting compiled with these flags (I've mentioned this to a dev before and they were responsive).
As this is not a specific vulnerability I'm not marking it as such, but the security team should be notified regardless. A basic audit of things like this on the OS would go a long way.
In elementary we should probably just ditch preload by default, it only makes a difference for apps using lots of non-native libraries.
It's important for Ubuntu which shipped 5 different toolkits by default last time I checked, but ain't making a big difference in elementary OS.