[Pkg-gnupg-maint] Bug#527630: built with needless executable stack

Kees Cook kees at debian.org
Fri May 8 18:50:14 UTC 2009


On Fri, May 08, 2009 at 06:49:53PM +0200, Daniel Leidert wrote:
> Am Freitag, den 08.05.2009, 08:37 -0700 schrieb Kees Cook:
> > gnupg is built with an executable stack, which is not needed and can lead
> > to security problems if a flaw is found that allows an attacker to fill
> > stack memory with executable code on ia32.
> > 
> > Attached patch adds the configure option to enable this protection.  This
> > is also being tracked in Ubuntu as:
> > https://bugs.edge.launchpad.net/bugs/49323
> 
> gnupg comes with a configure option (m4/noexecstack.m4) - it was me
> answering there.  However, I checked this issue recently and I didn't
> find an executable stack (neither on Ubuntu nor Debian), although it is
> not yet built with --enable-noexecstack. However, I already considered
> adding this switch.

Well, the non-exec stack is only a marking for i386.  All of amd64 is by
default non-exec stack, so the marking will only show up on i386, where I
do still see it for on both Debian and Ubuntu:

$ file /usr/bin/gpg
/usr/bin/gpg: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ readelf -l /usr/bin/gpg | grep STACK
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
$ execstack -q /usr/bin/gpg
X /usr/bin/gpg


-- 
Kees Cook                                            @debian.org





More information about the Pkg-gnupg-maint mailing list