compiler hardening options not working

Bug #1000379 reported by Bryan D. Payne
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nagios-nrpe (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

The debian/rules file has an attempt to enable compiler hardening options, but it isn't working. I have verified this against the latest package source here on launchpad. The problem is that LDFLAGS is set to the wrong value. This can be seen with the checksec.sh output below (run after building the current latest source):

RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH debian/nagios-nrpe-server/usr/sbin/nrpe

The attached patch fixes this problem. Here is the checksec.sh output after the patch is applied:

RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH debian/nagios-nrpe-server/usr/sbin/nrpe

Revision history for this message
Bryan D. Payne (bdpayne) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "nagios-nrpe_2.12-6ubuntu2.patch" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for catching this!

I've uploaded it to quantal, which a couple of minor changes:
- I've added the bug reference to the changelog
- I removed the "export" line from the rules file, as it isn't necessary

Thanks!

Changed in nagios-nrpe (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 2.12-6ubuntu2

---------------
nagios-nrpe (2.12-6ubuntu2) quantal; urgency=low

  * Fixed compiler hardening configuration. (LP: #1000379)
 -- <email address hidden> (Bryan D. Payne) Wed, 16 May 2012 17:29:52 +0000

Changed in nagios-nrpe (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Michael Terry (mterry) wrote :

I sponsored an upload by Simon Déziel for this. Subscribing ubuntu-sru.

Revision history for this message
Michael Terry (mterry) wrote :

(for precise that is)

Revision history for this message
Simon Déziel (sdeziel) wrote :

Michael, I've updated LP: #1126890 with SRU information. Please let me know if that is not enough to also cover this bug. Thanks

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Bryan, or anyone else affected,

Accepted nagios-nrpe into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nagios-nrpe/2.12-5ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nagios-nrpe (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Simon Déziel (sdeziel) wrote :

The precise-proposed packages works well, many thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Bryan D. Payne (bdpayne) wrote :

Thanks for the work on this. I have verified the precise-proposed package and the compiler hardening appears correct.

Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nagios-nrpe - 2.12-5ubuntu1.2

---------------
nagios-nrpe (2.12-5ubuntu1.2) precise; urgency=low

  * Do not remove the PID file after a connection error
    (original patch from Hiren Patel). (LP: #1126890)
  * Fixed compiler hardening configuration. (LP: #1000379)
 -- Simon Deziel <email address hidden> Wed, 22 May 2013 10:03:21 -0400

Changed in nagios-nrpe (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers