Please re-enable PIE and BIND_NOW

Bug #1039618 reported by Jamie Strandboge on 2012-08-21
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
postgresql-9.1 (Ubuntu)
High
Martin Pitt
Precise
Undecided
Unassigned
Quantal
High
Martin Pitt

Bug Description

Older versions of postgresql were compiled with PIE and BIND_NOW. Unfortunately, these were lost in 12.04. Eg, output from hardening-check:
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_resetxlog:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_ctl:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_test_fsync:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_controldata:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/postgres:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_upgrade:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/initdb:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/postmaster:
 Position Independent Executable: no, normal executable!

Related branches

tags: added: regression-release
Martin Pitt (pitti) wrote :

I checked the binaries in sid, and they are fine. The only difference in dpkg-buildflags between sid and quantal is that Ubuntu adds -Wl,-Bsymbolic-functions, but that seems unrelated.

So something else in our build chain must be different, I'll have a closer look.

Changed in postgresql-9.1 (Ubuntu Quantal):
importance: Undecided → High
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Martin Pitt (pitti) wrote :

I compared the gcc command lines for postgres.c between Debian's and Ubuntu's i386 builds. For the compilation stage (-c) there are no significant differences (just the path of the build directories, which appear in -I). For linking, the difference is that Ubuntu drops "-L/usr/lib" and "-lxslt -lxml2 -lpam -lssl -lcrypto -lkrb5 -lcom_err -lgssapi_krb5", which seems to come from Ubuntu doing the -Wl,--as-needed linking option by default, and Ubuntu adding "-Wl,-Bsymbolic-functions" which comes from our changed dpkg-buildflags as I pointed out in the previous comment.

Neither Ubuntu nor Debian use -pie, but they both use -fPIC during compiling and linking.

Martin Pitt (pitti) wrote :

Argh, I know why: In my sid chroot I have the hardening-wrapper package installed, which silently adds the -pie flag for us. Since we now build-depend on "dpkg-dev (>= 1.16.1~) | hardening-wrapper,", hardening-wrapper does not get installed any more for precise and quantal.

It seems I even attempted that in the past:

postgresql-9.1 (9.1.3-2) unstable; urgency=low

  * debian/control, debian/rules: Support and prefer dpkg-buildflags when
    building with dpkg-dev >= 1.16.1~. Fall back to hardening-wrapper
    otherwise, to keep supporting backports.
  * debian/rules: Build with "-z now" for some extra hardening. We can't use
    the full "hardening=+all", as PIE causes build failures.

I'll take another look at the build failures again.

Martin Pitt (pitti) wrote :
Changed in postgresql-9.1 (Ubuntu Quantal):
assignee: Martin Pitt (pitti) → nobody
status: In Progress → Fix Committed
assignee: nobody → Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → Triaged
Martin Pitt (pitti) on 2012-08-30
Changed in postgresql-9.1 (Ubuntu Quantal):
milestone: none → ubuntu-12.10-beta-1
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.5-2

---------------
postgresql-9.1 (9.1.5-2) unstable; urgency=low

  * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when
    hardening-wrapper is not installed). Use "hardening=all", but disable
    "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS
    explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is
    now implied with "all". (LP: #1039618)
  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is
    not sufficient, as Ubuntu stables have newer upstream releases by now.
    - debian/control: Move Breaks/Replaces: from static version to
      ${binary:Version}.
    - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading
      from a -0something version.
    - (LP: #1043449)

 -- Martin Pitt <email address hidden> Fri, 31 Aug 2012 09:54:27 +0200

Changed in postgresql-9.1 (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers