Debian Bug report logs - #321721
cannot enable executable stack as shared object requires: Error 14

version graph

Package: libssl0.9.7; Maintainer for libssl0.9.7 is (unknown);

Reported by: Joe Mason <joe@notcharles.ca>

Date: Sun, 7 Aug 2005 08:03:02 UTC

Severity: minor

Found in version libssl0.9.7/0.9.7e-3

Fixed in version openssl/0.9.7g-2

Done: Christoph Martin <christoph.martin@uni-mainz.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#321721; Package libssl0.9.7. Full text and rfc822 format available.

Acknowledgement sent to Joe Mason <joe@notcharles.ca>:
New Bug report received and forwarded. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joe Mason <joe@notcharles.ca>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cannot enable executable stack as shared object requires: Error 14
Date: Sun, 07 Aug 2005 03:06:22 -0400
Package: libssl0.9.7
Version: 0.9.7g-1
Severity: critical

I just did a dist-upgrade, and every time I try to run a program linked
with libcrypto I get the following error:

error while loading shared libraries: libcrypto.so.0.9.7: cannot enable
executable stack as shared object requires: Error 14

As a lot of important system services are linked to libcrypto, this has
a serious impact.  There are many other libraries doing the same thing
(so far I've found libacl, libgcrypt, libgdbm, and libelf, and I'm filing bugs
for all of them).

Google suggests this has something to do with "pax", which I've never 
heard of and have certainly never installed or enabled.


-- System Information:
Debian Release: testing/unstable
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.18-bf2.4
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libssl0.9.7 depends on:
ii  debconf [debconf-2.0]         1.4.56     Debian configuration management sy
ii  libc6                         2.3.5-3    GNU C Library: Shared libraries an

libssl0.9.7 recommends no packages.

-- debconf information:
  libssl0.9.7/restart-services:



Bug reassigned from package `libssl0.9.7' to `glibc'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 321717 321718 321720 321721 321723 321724. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #321724 from all other report(s). Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #321723 from all other report(s). Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #321721 from all other report(s). Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `glibc' to `libssl0.9.7'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `minor'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#321721; Package libssl0.9.7. Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #26 received at 321721@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Steve Langasek <vorlon@debian.org>, 321721@bugs.debian.org
Subject: Re: Bug#321718: Upgrade caused many libs to complain about "executable stack"
Date: Sun, 7 Aug 2005 14:12:35 +0200
[Message part 1 (text/plain, inline)]
On Sun, Aug 07, 2005 at 03:51:43AM -0700, Steve Langasek wrote:
> Both the sarge and the sid versions of libssl0.9.7 were definitely *not*
> built with gcc-2.95, but they both have a PT_GNU_STACK header in
> /usr/lib/i686/cmov/libcrypto.so.0.9.7 which explicitly requests an
> executable stack.  This is not the same bug as the others, which were
> getting an executable stack by default.  Since there may be legitimate
> reasons for requesting an executable stack, I'm downgrading this bug to
> minor in addition to reassigning it -- anyone playing with grsec/PaX should
> be prepared for the possibility of having to deal with setting such policies
> on binaries where needed.

The executable stack is requested by the lack of a .note.GNU-stack
section in the assembler files. Someone need to decide if this is needed
or if we can just fix this with the attached patch.

Bastian

-- 
You're dead, Jim.
		-- McCoy, "Amok Time", stardate 3372.7
[diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#321721; Package libssl0.9.7. Full text and rfc822 format available.

Acknowledgement sent to varg@theor.jinr.ru (Sheplyakov Alexei):
Extra info received and forwarded to list. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #31 received at 321721@bugs.debian.org (full text, mbox):

From: varg@theor.jinr.ru (Sheplyakov Alexei)
To: 321721@bugs.debian.org
Subject: Re: Bug#321718: Upgrade caused many libs to complain about "executable stack"
Date: Fri, 12 Aug 2005 09:40:26 +0400
[Message part 1 (text/plain, inline)]
> The bug against libgcrypt11 is the same as that against libssl0.9.7 -- the
> library has explicitly requested an executable stack.  I don't think this is
> a coincidence:

Indeed, this is not coincidence. Both libraries have optimized 
versions of some function implemented in assembly. But

.note.GNU-stack,"",@progbits

is missing in the assembly sources. Missing markers means executable
stack, so the entire library gets marked as PT_GNU_STACK RWE.

See also
https://www.redhat.com/archives/fedora-devel-list/2005-March/msg00460.html

> it's pretty likely that both of these libraries *use* the executable stack,

No, these libraries _do not_ need an executable stack (e.g., why calculation
of MD5 hash could ever need it?). As a matter of fact, marking stack as
non-executable 

sudo execstack -c /usr/lib/i686/cmov/libssl.so.0.9.7

did not break anything.

> The last bug, I'm leaving assigned to glibc, since that is the package
> whose behavior change triggered these reports.

AFAIK, the only glibc change that made these bugs explicit is hwcap
support. Here is short demonstration:

(downgrade to glibc-2.3.2.ds1-22)

$ ldd /usr/bin/ssh
        libresolv.so.2 => /lib/libresolv.so.2 (0x27486000)
        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x27498000)
        libutil.so.1 => /lib/libutil.so.1 (0x275a0000)
        libz.so.1 => /usr/lib/libz.so.1 (0x275a3000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x275b8000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x275cd000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x275fa000)
        libc.so.6 => /lib/libc.so.6 (0x2760c000)
        libdl.so.2 => /lib/libdl.so.2 (0x2773f000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x27465000)

execstack /usr/lib/libcrypto.so.0.9.7 
- /usr/lib/libcrypto.so.0.9.7

(/usr/lib/libcrypto.so.0.9.7 is "generic" library, it is written in
plain C, so, compiler marks the stack as non-executable).

However, optimized library have incorrect PT_GNU_STACK marking:

$ execstack /usr/lib/i686/cmov/libcrypto.so.0.9.7 
X /usr/lib/i686/cmov/libcrypto.so.0.9.7

Now, let's turn on soft mode (just in a case)

$ sudo /bin/sh -c "echo 1 > /proc/sys/kernel/exec-shield"

(turn off exec-shield, except for binaries that explicitly enable it,
e.g. have PT_GNU_STACK RW-)

and install glibc-2.3.5-3.

$ ldd /usr/bin/ssh
        libresolv.so.2 => /lib/libresolv.so.2 (0x2343f000)
        libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x23451000)
        libutil.so.1 => /lib/libutil.so.1 (0x23553000)
        libz.so.1 => /usr/lib/libz.so.1 (0x23557000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x2356b000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x2357f000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x235ae000)
        libc.so.6 => /lib/libc.so.6 (0x235c0000)
        libdl.so.2 => /lib/libdl.so.2 (0x236da000)
        /lib/ld-linux.so.2 (0x2341e000)

Now, the linker tries to use optimized library, but this library wants 
stack to be executable (for no good reason), so the bug (missing
proper PT_GNU_STACK marker) becomes user-visible.

> In any case, none of these bugs are of severity higher than important.

If PaX or exec-shield (with sys.kernel.exec-shield = 3, e.g. exec-shield
is always enabled) kernel is used, the system will be badly broken.
Or even worse (if soft mode used, which is default with exec-shield):
protection silently switched off for important binaries (e.g.,
ssh|sshd). So, I think 

1) this is _at least_ serious bug,
2) it should have `security' tag.

> There is no policy that Debian supports grsec kernels

This bug can break systems using exec-shield kernels too.
Moreover, there is no policy to deliberately break grsec either.


Best regards,
  Alexei.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#321721; Package libssl0.9.7. Full text and rfc822 format available.

Acknowledgement sent to Marcus Better <marcus@better.se>:
Extra info received and forwarded to list. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. Full text and rfc822 format available.

Message #36 received at 321721@bugs.debian.org (full text, mbox):

From: Marcus Better <marcus@better.se>
To: 321721@bugs.debian.org
Subject: marking libcrypto as not requiring executable stack
Date: Wed, 07 Sep 2005 16:37:27 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It would be useful for exec-shield users to have libcrypto correctly
marked. Otherwise exec-shield is disabled for several important network
servers where it is most useful to have it working, including the
following: sshd, named, slurpd, cyrmaster, mysqld, sendmail, ntpd.

Some of these also depend on libgcrypt, so that library would also have
to be looked at.

FWIW, it appears that Fedora Core 4 compiles OpenSSL with
- -Wa,--noexecstack as can be seen from the following lines from
openssl.spec (from the openssl source RPM for FC4). This seems to
indicate that OpenSSL indeed does not require an executable stack.

- ------from openssl.spec:----------------------------------------------
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
make depend
make all build-shared
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDHvsmXjXn6TzcAQkRAlXXAJoDOJXom+7lm+wVIQ/53Q3K3A8WGwCfVdvU
ChczMNLkYb91dpGvrZXpCNY=
=knID
-----END PGP SIGNATURE-----



Reply sent to Christoph Martin <christoph.martin@uni-mainz.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joe Mason <joe@notcharles.ca>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 321721-close@bugs.debian.org (full text, mbox):

From: Christoph Martin <christoph.martin@uni-mainz.de>
To: 321721-close@bugs.debian.org
Subject: Bug#321721: fixed in openssl 0.9.7g-2
Date: Wed, 07 Sep 2005 09:17:13 -0700
Source: openssl
Source-Version: 0.9.7g-2

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.7-udeb_0.9.7g-2_i386.udeb
  to pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-2_i386.udeb
libssl-dev_0.9.7g-2_i386.deb
  to pool/main/o/openssl/libssl-dev_0.9.7g-2_i386.deb
libssl0.9.7_0.9.7g-2_i386.deb
  to pool/main/o/openssl/libssl0.9.7_0.9.7g-2_i386.deb
openssl_0.9.7g-2.diff.gz
  to pool/main/o/openssl/openssl_0.9.7g-2.diff.gz
openssl_0.9.7g-2.dsc
  to pool/main/o/openssl/openssl_0.9.7g-2.dsc
openssl_0.9.7g-2_i386.deb
  to pool/main/o/openssl/openssl_0.9.7g-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 321721@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <christoph.martin@uni-mainz.de> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  7 Sep 2005 15:32:54 +0200
Source: openssl
Binary: libssl-dev openssl libcrypto0.9.7-udeb libssl0.9.7
Architecture: source i386
Version: 0.9.7g-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Christoph Martin <christoph.martin@uni-mainz.de>
Description: 
 libcrypto0.9.7-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.7 - SSL shared libraries
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 239956 309274 310184 310489 316689 318750 321721
Changes: 
 openssl (0.9.7g-2) unstable; urgency=low
 .
   * really include nl translation
   * remove special ia64 code from rc4 code to make the abi compatible to
     older 0.9.7 versions (closes: #310489, #309274)
   * fix compile flag for debian-ppc64 (closes: #318750)
   * small fix in libssl0.9.7.postinst (closes: #239956)
   * fix pk7_mime.c to prevent garbled messages because of to early memory
     free (closes: #310184)
   * include vietnamese debconf translation (closes: #316689)
   * make optimized i386 libraries have non executable stack (closes:
     #321721)
   * remove leftover files from ssleay
   * move from dh_installmanpages to dh_installman
   * change Maintainer to pkg-openssl-devel@lists.alioth.debian.org
Files: 
 4efa686485ac94f65ebdfdcc1184b69f 714 utils optional openssl_0.9.7g-2.dsc
 b59f4086f4dca850f7a0a1e86f654a38 29026 utils optional openssl_0.9.7g-2.diff.gz
 1536ad0806b8d8162cc0479b3189877c 916774 utils optional openssl_0.9.7g-2_i386.deb
 38b964c2bfb987edfc33d6d6065d3c7a 2284028 libs standard libssl0.9.7_0.9.7g-2_i386.deb
 4b827dbcd9cb663d35b9e269620f5679 457138 debian-installer optional libcrypto0.9.7-udeb_0.9.7g-2_i386.udeb
 c2e71be1fdfded36e744b6df3148430b 2572166 libdevel optional libssl-dev_0.9.7g-2_i386.deb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDHvgUgeVih7XOVJcRAj+pAKCZ74plvBNpE+s6rGH++muIO8lLsgCghDGQ
Sf0Fc6p6rbJ42W/NDJC4Z7A=
=Ejgt
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 20:22:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:54:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.