Comment 0 for bug 2007946

Hello,

if I understood correctly, the Python from version 3.10 should be compiled as a PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie and python3.11-nopie.

But the Python 3.11 from package python3.11-minimal, version 3.11.0~rc1-1~22.04, arch arm64 is not a PIE.

$ file /usr/bin/python3.11-pie
/usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped

the same using hardening-check:

$ hardening-check /usr/bin/python3.11-pie
/usr/bin/python3.11-pie:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

While the python3.10-minimal is a PIE.

$ file /usr/bin/python3.10-pie
/usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped

$ hardening-check /usr/bin/python3.10-pie
/usr/bin/python3.10-pie:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

I know the packages are probably from Debian Bookworm. I've checked their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are both not a PIE.

I should report this to Debian as well, but their reporting system is very old-fashioned.