2023-02-21 20:29:50 |
Jan Fikar |
description |
Hello,
if I understood correctly, the Python from version 3.10 should be compiled as a PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie and python3.11-nopie.
But the Python 3.11 from package python3.11-minimal, version 3.11.0~rc1-1~22.04, arch arm64 is not a PIE.
$ file /usr/bin/python3.11-pie
/usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped
the same using hardening-check:
$ hardening-check /usr/bin/python3.11-pie
/usr/bin/python3.11-pie:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
While the python3.10-minimal is a PIE.
$ file /usr/bin/python3.10-pie
/usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped
$ hardening-check /usr/bin/python3.10-pie
/usr/bin/python3.10-pie:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
I know the packages are probably from Debian Bookworm. I've checked their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are both not a PIE.
I should report this to Debian as well, but their reporting system is very old-fashioned. |
Hello,
if I understood correctly, the Python from version 3.10 should be compiled as a PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie and python3.11-nopie.
But the Python 3.11 from package python3.11-minimal, version 3.11.0~rc1-1~22.04, arch arm64 is not a PIE.
$ file /usr/bin/python3.11-pie
/usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped
the same using hardening-check:
$ hardening-check /usr/bin/python3.11-pie
/usr/bin/python3.11-pie:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
While the python3.10-minimal is a PIE.
$ file /usr/bin/python3.10-pie
/usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped
$ hardening-check /usr/bin/python3.10-pie
/usr/bin/python3.10-pie:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
I know the packages are probably from Debian Bookworm. I've checked their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are both not a PIE.
I've reported the bug also to Debian. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031743 |
|