if I understood correctly, the Python from version 3.10 should be compiled as a PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie and python3.11-nopie.
But the Python 3.11 from package python3.11-minimal, version 3.11.0~rc1-1~22.04, arch arm64 is not a PIE.
$ file /usr/bin/python3.11-pie
/usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped
the same using hardening-check:
$ hardening-check /usr/bin/python3.11-pie
/usr/bin/python3.11-pie:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
While the python3.10-minimal is a PIE.
$ file /usr/bin/python3.10-pie
/usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped
$ hardening-check /usr/bin/python3.10-pie
/usr/bin/python3.10-pie:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
I know the packages are probably from Debian Bookworm. I've checked their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are both not a PIE.
I should report this to Debian as well, but their reporting system is very old-fashioned.
Hello,
if I understood correctly, the Python from version 3.10 should be compiled as a PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie and python3.11-nopie.
But the Python 3.11 from package python3.11-minimal, version 3.11.0~rc1-1~22.04, arch arm64 is not a PIE.
$ file /usr/bin/ python3. 11-pie python3. 11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld- linux-aarch64. so.1, BuildID[ sha1]=65f319d75 fa662120654ed39 ed608b11774bec9 b, for GNU/Linux 3.7.0, stripped
/usr/bin/
the same using hardening-check:
$ hardening-check /usr/bin/ python3. 11-pie python3. 11-pie: clash-protectio n instructions found
/usr/bin/
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-
Control flow integrity: no, not found!
While the python3.10-minimal is a PIE.
$ file /usr/bin/ python3. 10-pie python3. 10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld- linux-aarch64. so.1, BuildID[ sha1]=a1841de4f 4ec9445a10bff63 8afa4c72deace9e 0, for GNU/Linux 3.7.0, stripped
/usr/bin/
$ hardening-check /usr/bin/ python3. 10-pie python3. 10-pie: clash-protectio n instructions found
/usr/bin/
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-
Control flow integrity: no, not found!
I know the packages are probably from Debian Bookworm. I've checked their amd64 and arm64 packages python3. 11-minimal_ 3.11.1- 2, they are both not a PIE.
I should report this to Debian as well, but their reporting system is very old-fashioned.