Ubuntu
nginx package

nginx not built as Position Independent; does not use BIND_NOW

Bug #1315426 reported by Sindhudweep Sarkar on 2014-05-02
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Fix Released
Low
Thomas Ward
Precise
Won't Fix
Wishlist
Thomas Ward
Trusty
Won't Fix
Wishlist
Thomas Ward
Utopic
Won't Fix
Wishlist
Thomas Ward
Vivid
Fix Released
Low
Thomas Ward
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

nginx (1.4.6-1ubuntu3) is not being built with -fPIE -pie. I am running ubuntu 14.04 LTS. I've included the output when scanning apache2 with hardening-check just for comparison purposes.

$ hardening-check /usr/sbin/nginx
/usr/sbin/nginx:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

$ dpkg -l | grep "nginx-core"
ii nginx-core 1.4.6-1ubuntu3 amd64 nginx web/proxy server (core version)

$ lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04

$ hardening-check /usr/sbin/apache2
/usr/sbin/apache2:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

Thomas Ward (teward) on 2014-05-04
Changed in nginx (Ubuntu):
status: New → Confirmed
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2014-05-04
Changed in nginx (Ubuntu):
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater) on 2014-05-05
Changed in nginx (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater) on 2015-01-12
Changed in nginx (Debian):
status: New → Fix Committed
Simon Déziel (sdeziel) wrote :

Thomas, since the fix is trivial and the benefit would be very welcome, would it be possible to do SRU this?

Thomas Ward (teward) wrote :

Simon:

This is currently marked as "Fix Committed" in Debian - that doesn't mean that this is "Fixed" up there yet, and that it's only in the git repo for it.

It also isn't fixed in Vivid. To SRU this, the commit from Debian would need to be put into Vivid, and possibly Utopic before it could end up in Trusty. Vivid is currently under feature freeze, I'd need to check with the release team to see if this would get past the freeze (although I doubt it will get in past the freeze). And since this fix isn't even in Debian I'm not sure this qualifies for an SRU right now.

Changed in nginx (Ubuntu Utopic):
status: New → Triaged
Changed in nginx (Ubuntu Trusty):
status: New → Triaged
Changed in nginx (Ubuntu Precise):
status: New → Triaged
Changed in nginx (Ubuntu Utopic):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Trusty):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2015-04-01
Changed in nginx (Ubuntu Precise):
importance: Undecided → Wishlist
Changed in nginx (Ubuntu Trusty):
importance: Undecided → Wishlist
Changed in nginx (Ubuntu Utopic):
importance: Undecided → Wishlist
Changed in nginx (Ubuntu Vivid):
importance: Undecided → Wishlist
Simon Déziel (sdeziel) wrote :

Thanks for the clarifications. Please know that I'll be available to test any new build that would reach Vivid or any older versions.

Thomas Ward (teward) wrote :

After additional discussion with the server team and members of the security team, we do not believe that this qualifies as an SRU. It does not provide any significant benefit other than hardening, and does not qualify for SRU.

As such, I am setting "Won't Fix" in Precise through Utopic, but leaving Vivid alone for now. Here's some additional considerations for Vivid (and also earlier stable releases), brought up during that discussion:
* Turning on PIE in stable releases will have a detrimental performance impact on 32-bit platforms (and will likely annoy people who are using nginx on 32-bit platforms for its performance.
* While "PIE isn't turned on though expected for security-sensitive packages" would possibly be a valid reason to get a change into Vivid during the current freeze, the performance impact on 32-bit platforms would make this a possible blocking point.

It is possible/likely that Vivid+1 will have this fixed there, as Debian has 'committed' a fix that may likely be available by that time (and merged in at some point in the Vivid+1 cycle).

Changed in nginx (Ubuntu Precise):
status: Triaged → Won't Fix
Changed in nginx (Ubuntu Trusty):
status: Triaged → Won't Fix
Changed in nginx (Ubuntu Utopic):
status: Triaged → Won't Fix
Sindhudweep Sarkar (sindhudweep-sarkar) wrote :

Why bother having nginx in main? It should have been hardened as a blocking bug when the MIR was originally put out (https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1262710) .

Is it even meaningful to compare the speed of apache with nginx if one is build with pie and one is not? I respect that this could represent a performance regression for precise but this really should go into vivid, vivid + 1 and 16.04 LTS.

Thomas Ward (teward) on 2015-04-01
Changed in nginx (Ubuntu Vivid):
importance: Wishlist → Low
Thomas Ward (teward) wrote :

Sindhudweep: We were not comparing Apache and NGINX speeds. With PIE, on a 32bit platform there si at least a 15% performance decrease (based on general observation between platforms with PIE enabled/disabled).

We're working on this for Vivid right now, have patience.

Thomas Ward (teward) on 2015-04-02
Changed in nginx (Ubuntu Vivid):
status: Triaged → Fix Committed
Thomas Ward (teward) wrote :

Additional related bugs in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781703 - nginx not using BIND_NOW security feature

Immediate binding as well as Position Independent building are both enabled with the fix that is committed right now. (Bug summary expanded to include the BIND_NOW security feature).

With regard to the Debian bug, the Debian bug linked to this bug, as well as the additional related bug linked in this comment, are both fixed by a commit now included in Debian git.

summary: - nginx not built as position independent
+ nginx not built as Position Independent; does not use BIND_NOW
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.6.2-5ubuntu3

---------------
nginx (1.6.2-5ubuntu3) vivid-proposed; urgency=medium

  * debian/rules:
    * Reversed Debian change in 1.6.2-5ubuntu2.
    * Added DEB_BUILD_MAINT_OPTIONS=hardening=+all to enable all
      dpkg-buildflags to harden the code, except for PIE flags.
    * Manually define DEB_BUILD_MAINT_OPTIONS in DEBIAN_NGINX_PERL_LDFLAGS
      to not have -fPIE conflicts in Perl flags.
 -- Thomas Ward <email address hidden> Wed, 01 Apr 2015 14:57:34 -0400

Changed in nginx (Ubuntu Vivid):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater) on 2015-06-12
Changed in nginx (Debian):
status: Fix Committed → Fix Released
Simon Déziel (sdeziel) wrote :

Thomas, would you consider a SRU to Trusty now? If yes, I could work on providing a debdiff if you'd like. Thanks in advance

Thomas Ward (teward) wrote :

Simon:

Please reread comment #4 here - https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1315426/comments/4

The decision on SRU stands because of the reasons stated there, with agreement from the Server and Security teams to that effect. We will not be SRUing these changes, because the agreement is that they don't bring any significant additional improvements (nor does it fix any real bugs which would impact security status of the package in older releases).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.