Ubuntu
smpeg package

libsmpeg0 has an executable stack

Bug #49196 reported by John Moser
4
Affects Status Importance Assigned to Milestone
smpeg (Ubuntu)
Fix Released
Wishlist
Kees Cook

Bug Description

Binary package hint: libsmpeg0

smpeg seems to have an executable stack on Ubuntu. As determined by Gentoo, this is not necessary. In fact this particular case is the example for the Hardened Gentoo GNU Stack Quickstart[1], a guide to dealing with executable stacks.

Utilizing scanelf from paxutils, I have located several libraries with PT_GNU_STACK markings. Libraries with these markings cause any executable loading these libraries to get an executable stack, a failing in security best practices[1].

~$ scanelf -Retq /usr/lib
...
RWX --- --- /usr/lib/libsmpeg-0.4.so.0.1.4

Removal of this marking can simply be carried out with 'execstack -c'; however, if something else causes an executable stack later for "legitimate" reasons (i.e. code is executed on the stack... gcc nested functions?), we won't find out until programs mysteriously start crashing (and then we have to fix the program to NOT execute the stack).

Instead of blindly killing the flag after compilation, we should correctly mark each object by adding a PT_GNU_STACK header to each assembly (.S) file, at the end:

#endif /* i386 && USE_MMX */

/* Add these three lines to get us a PT_GNU_STACK header */
#ifdef __ELF__
.section .note.GNU-stack,"",%progbits
#endif

This is as per patch at Gentoo CVS:
  http://www.gentoo.org/cgi-bin/viewcvs.cgi/media-libs/smpeg/files/smpeg-0.4.4-gnu-stack.patch

Inline assembly is disabled by debian/rules; the two video/mmx*.S files output .o files containing no useful object code, but no .note.GNU-stack either, causing an executable stack.

Somebody should submit this fix upstream as well.

[1] http://www.gentoo.org/proj/en/hardened/gnu-stack.xml

Revision history for this message
Simon Law (sfllaw) wrote :

John,

Gentoo seems to have moved their source repositories around. Could
you attach the proper patch to this bug?

Thanks.

Changed in smpeg:
status: Unconfirmed → Needs Info
Revision history for this message
John Moser (nigelenki) wrote :

Patches are in:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/smpeg/files/

The 0.4.4 patches seem to apply to 0.4.5 fine. These fix the MMX files; we don't use MMX, but the build system still links the files in. Their contents is surrounded by an #ifdef.

Not relavent to this bug:

There's a number of patches there, including PIC fixes (remove TONS of TEXTRELs); but we build without MMX so the PIC fix is non-relevant to us.

Changed in smpeg:
status: Needs Info → Confirmed
Simon Law (sfllaw)
Changed in smpeg:
importance: Untriaged → Wishlist
Revision history for this message
Kees Cook (kees) wrote :

This has been fixed upstream.

Changed in smpeg (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.