[Pkg-javascript-devel] Bug#980272: nodejs: '/usr/bin/node' started with executable stack

[James Addison]

Package: nodejs
Version: 14.13.0~dfsg-1
Severity: normal
X-Debbugs-Cc: jay at jp-hosting.net

Dear Maintainer,

The /usr/bin/node ELF binary in the nodejs package has an executable stack and
although I'm not certain whether this implies any potential for attack, it
seemed worth reporting.  I do not believe that the binary requires an
executable stack.

The following command can be used to read and check the stack headers for the
binary:

$ readelf --program-headers --wide /usr/bin/node | grep -w GNU_STACK
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10


In particular the flags (RWE above) include the 'E' flag for executable in the
package versions checked, which are: 12.19.0~dfsg-1 (bullseye), 12.20.1~dfsg-3
(sid) and 14.13.0~dfsg-1 (experimental).

This was discovered from observation of the following message in the dmesg
output on a Debian host:

'/usr/bin/node' started with an executable stack


There's some potentially-relevant reading in the Ubuntu and Gentoo security
team documentation below:

- https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
- https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-1-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nodejs depends on:
ii  libc6      2.31-9
ii  libnode83  14.13.0~dfsg-1

Versions of packages nodejs recommends:
ii  ca-certificates  20200601
pn  nodejs-doc       <none>

Versions of packages nodejs suggests:
pn  npm  <none>

-- no debconf information