Debian Bug report logs - #336138
liblzo1: liblzo.so.1.0.0 is mistakenly listed as requiring an executable stack.

version graph

Package: liblzo1; Maintainer for liblzo1 is (unknown);

Reported by: Russell Coker <russell@coker.com.au>

Date: Fri, 28 Oct 2005 05:48:04 UTC

Severity: normal

Tags: confirmed, fixed-upstream, patch, upstream

Found in version liblzo1/1.08-2

Done: Laurent Bigonville <bigon@debian.org>

Bug is archived. No further changes may be made.

Forwarded to Markus F.X.J. Oberhumer <markus@oberhumer.com>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <peter_e@gmx.net>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Peter Eisentraut <peter_e@gmx.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: liblzo1: liblzo.so.1.0.0 is mistakenly listed as requiring an executable stack.
Date: Fri, 28 Oct 2005 15:46:21 +1000
Package: liblzo1
Version: 1.08-2
Severity: normal

"readelf -l /usr/lib/liblzo.so.1.0.0 | grep STACK" shows that the shared object
is listed as requiring an executable stack.  I believe that this is a mistake,
probably due to including assembler without specifying the appropriate data to
list is as not requiring an executable stack.

Please see http://people.redhat.com/drepper/nonselsec.pdf for more information.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.3-se
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages liblzo1 depends on:
ii  libc6                         2.3.5-7    GNU C Library: Shared libraries an

liblzo1 recommends no packages.

-- no debconf information



Reply sent to Peter Eisentraut <peter_e@gmx.net>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #8 received at 336138-forwarded@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: Markus F.X.J. Oberhumer <markus@oberhumer.com>
Cc: 336138-forwarded@bugs.debian.org
Subject: Re: Bug#336138: liblzo1: liblzo.so.1.0.0 is mistakenly listed as requiring an executable stack.
Date: Wed, 11 Jan 2006 22:46:23 +0100
The following issue (which also exists in lzo 2.02) has been reported
to the Debian bug tracking system.  Please check whether you can fix the
assembly code to avoid this, because this apparently hinders certain
security features.

Russell Coker wrote:
> Package: liblzo1
> Version: 1.08-2
> Severity: normal
> 
> "readelf -l /usr/lib/liblzo.so.1.0.0 | grep STACK" shows that the shared object
> is listed as requiring an executable stack.  I believe that this is a mistake,
> probably due to including assembler without specifying the appropriate data to
> list is as not requiring an executable stack.
> 
> Please see http://people.redhat.com/drepper/nonselsec.pdf for more information.



Message #9 received at 336138-forwarded@bugs.debian.org (full text, mbox):

From: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: 336138-forwarded@bugs.debian.org
Subject: Re: Bug#336138: liblzo1: liblzo.so.1.0.0 is mistakenly listed as requiring an executable stack.
Date: Wed, 11 Jan 2006 23:25:13 +0100
Peter Eisentraut wrote:
> The following issue (which also exists in lzo 2.02) has been reported
> to the Debian bug tracking system.  Please check whether you can fix the
> assembly code to avoid this, because this apparently hinders certain
> security features.
> 
> Russell Coker wrote:
> 
>>Package: liblzo1
>>Version: 1.08-2
>>Severity: normal
>>
>>"readelf -l /usr/lib/liblzo.so.1.0.0 | grep STACK" shows that the shared object
>>is listed as requiring an executable stack.  I believe that this is a mistake,
>>probably due to including assembler without specifying the appropriate data to
>>list is as not requiring an executable stack.
>>
>>Please see http://people.redhat.com/drepper/nonselsec.pdf for more information.
> 
> 

The necessary .note.GNU-stack sections for the assembler sources will be 
included in the upcoming LZO 2.03 release.

In the meantime you could borrow some patches from Gentoo (at least for 2.02).

~Markus

-- 
Markus Oberhumer, <markus@oberhumer.com>, http://www.oberhumer.com/



Tags added: confirmed, upstream, fixed-upstream Request was from Peter Eisentraut <petere@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #16 received at 336138@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 336138@bugs.debian.org
Subject: could you please fix this for etch?
Date: Fri, 9 Feb 2007 08:52:43 +1100
The easiest solution is to simply run "execstack -c" after linking the shared 
object.  This isn't the ideal solution but gives the desired result.




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #21 received at 336138@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: russell@coker.com.au, 336138@bugs.debian.org
Subject: Re: Bug#336138: could you please fix this for etch?
Date: Fri, 9 Feb 2007 01:37:40 +0100
Russell Coker wrote:
> The easiest solution is to simply run "execstack -c" after linking
> the shared object.  This isn't the ideal solution but gives the
> desired result.

The package "prelink" that contains this program seems to be available 
only for a few platforms.



Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #26 received at 336138@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: 336138@bugs.debian.org
Cc: control <control@bugs.debian.org>
Subject: liblzo execstack and SELinux issues
Date: Tue, 24 Apr 2007 15:57:48 +0200
clone 336138 -1
reassign -1 liblzo2-2
thanks

Hi,
This bug causes problems with SELinux, since it restricts use of
execstack. I'd put a 'serious' priority on this bug because of this
("breaks unrelated applications").

Is there any patch available I could use for providing fixed backports
for SELinux on etch?

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
      The future is here. It's just not evenly distributed yet.      //\
  Wie kann ich wissen, was ich denke, bevor ich höre, was ich sage.  V_/_




Bug 336138 cloned as bug 420753. Request was from Erich Schubert <erich@debian.org> to control@bugs.debian.org. (Tue, 24 Apr 2007 14:03:03 GMT) Full text and rfc822 format available.

Tags added: Request was from Erich Schubert <erich@debian.org> to control@bugs.debian.org. (Tue, 24 Apr 2007 14:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Erich Schubert <erich@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #35 received at 336138@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: 336138@bugs.debian.org, 420753@bugs.debian.org
Cc: control <control@bugs.debian.org>
Subject: patches for lzo execstack issues
Date: Tue, 24 Apr 2007 16:11:51 +0200
tag 420753 + patch
tag 336138 + patch
thanks

>From gentoo, e.g.
http://ftp.riken.go.jp/pub/Linux/gentoo/dev-libs/lzo/files/lzo-1.08-exec-stack.patch
http://ftp.riken.go.jp/pub/Linux/gentoo/dev-libs/lzo/files/lzo-2.02-exec-stack.patch

These should fix the issues.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
  A polar bear is a rectangular bear after a coordinate transform.   //\
    Der Anfang aller Erkenntnis ist das Staunen. --- Aristoteles     V_/_




Tags added: patch Request was from Erich Schubert <erich@debian.org> to control@bugs.debian.org. (Tue, 24 Apr 2007 14:15:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Steven Brown <swbrown@variadic.org>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #42 received at 336138@bugs.debian.org (full text, mbox):

From: Steven Brown <swbrown@variadic.org>
To: 336138@bugs.debian.org
Subject: NMUish update to fix the executable stack
Date: Thu, 10 May 2007 22:00:35 -0700
[Message part 1 (text/plain, inline)]
I had been working on a fix for this prior to the link of the gentoo
patches - not sure if they'd be a better match, but I've prepared a
NMUish update that fixes this problem that can be found here if it helps:

http://www.variadic.org/debian/etch/liblzo1/

The patch to stick in debian/patches is attached as well.
[20_GNU-stack.patch (text/plain, inline)]
Add a .note.GNU-stack section to the assembly files so that selinux can 
recognize this library and anything that links with it doesn't need an 
executable stack.  Done in the same way as was done to fix gcc in this 
patch by Jakub Jelinek:
http://svn.pardus.org.tr/pardus/2007/system/devel/gcc/files/65_all_gcc3.4-noteGNUstack.patch

- Steven Brown <swbrown@variadic.org>


diff -ruN lzo-1.08/src/i386/src/lzo1c_s1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1c_s1.s
--- lzo-1.08/src/i386/src/lzo1c_s1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1c_s1.s	2007-05-10 20:46:20.000000000 -0700
@@ -30,6 +30,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1c_decompress_asm)
diff -ruN lzo-1.08/src/i386/src/lzo1c_s2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1c_s2.s
--- lzo-1.08/src/i386/src/lzo1c_s2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1c_s2.s	2007-05-10 20:46:24.000000000 -0700
@@ -34,6 +34,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1c_decompress_asm_safe)
diff -ruN lzo-1.08/src/i386/src/lzo1f_f1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1f_f1.s
--- lzo-1.08/src/i386/src/lzo1f_f1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1f_f1.s	2007-05-10 20:46:30.000000000 -0700
@@ -30,6 +30,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1f_decompress_asm_fast)
diff -ruN lzo-1.08/src/i386/src/lzo1f_f2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1f_f2.s
--- lzo-1.08/src/i386/src/lzo1f_f2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1f_f2.s	2007-05-10 20:46:37.000000000 -0700
@@ -34,6 +34,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1f_decompress_asm_fast_safe)
diff -ruN lzo-1.08/src/i386/src/lzo1x_f1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1x_f1.s
--- lzo-1.08/src/i386/src/lzo1x_f1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1x_f1.s	2007-05-10 20:46:41.000000000 -0700
@@ -32,6 +32,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1x_decompress_asm_fast)
diff -ruN lzo-1.08/src/i386/src/lzo1x_f2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1x_f2.s
--- lzo-1.08/src/i386/src/lzo1x_f2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1x_f2.s	2007-05-10 20:46:46.000000000 -0700
@@ -36,6 +36,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1x_decompress_asm_fast_safe)
diff -ruN lzo-1.08/src/i386/src/lzo1x_s1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1x_s1.s
--- lzo-1.08/src/i386/src/lzo1x_s1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1x_s1.s	2007-05-10 20:46:48.000000000 -0700
@@ -30,6 +30,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1x_decompress_asm)
diff -ruN lzo-1.08/src/i386/src/lzo1x_s2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1x_s2.s
--- lzo-1.08/src/i386/src/lzo1x_s2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1x_s2.s	2007-05-10 20:46:50.000000000 -0700
@@ -34,6 +34,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1x_decompress_asm_safe)
diff -ruN lzo-1.08/src/i386/src/lzo1y_f1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1y_f1.s
--- lzo-1.08/src/i386/src/lzo1y_f1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1y_f1.s	2007-05-10 20:46:52.000000000 -0700
@@ -32,6 +32,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1y_decompress_asm_fast)
diff -ruN lzo-1.08/src/i386/src/lzo1y_f2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1y_f2.s
--- lzo-1.08/src/i386/src/lzo1y_f2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1y_f2.s	2007-05-10 20:46:56.000000000 -0700
@@ -36,6 +36,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1y_decompress_asm_fast_safe)
diff -ruN lzo-1.08/src/i386/src/lzo1y_s1.s ../liblzo1/lzo-1.08/src/i386/src/lzo1y_s1.s
--- lzo-1.08/src/i386/src/lzo1y_s1.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1y_s1.s	2007-05-10 20:46:58.000000000 -0700
@@ -30,6 +30,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1y_decompress_asm)
diff -ruN lzo-1.08/src/i386/src/lzo1y_s2.s ../liblzo1/lzo-1.08/src/i386/src/lzo1y_s2.s
--- lzo-1.08/src/i386/src/lzo1y_s2.s	2002-07-12 18:31:52.000000000 -0700
+++ ../liblzo1/lzo-1.08/src/i386/src/lzo1y_s2.s	2007-05-10 20:46:13.000000000 -0700
@@ -34,6 +34,10 @@
 
 #include "lzo_asm.h"
 
+#if defined __ELF__ && defined __linux__
+	.section .note.GNU-stack,"",@progbits
+#endif
+
 	.text
 
 	LZO_PUBLIC(lzo1y_decompress_asm_safe)

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Eisentraut <petere@debian.org>:
Bug#336138; Package liblzo1. Full text and rfc822 format available.

Acknowledgement sent to Matija Nalis <mnalis-debian@voyager.hr>:
Extra info received and forwarded to list. Copy sent to Peter Eisentraut <petere@debian.org>. Full text and rfc822 format available.

Message #47 received at 336138@bugs.debian.org (full text, mbox):

From: Matija Nalis <mnalis-debian@voyager.hr>
To: 336138@bugs.debian.org
Subject: incorporate patch ?
Date: Sun, 2 Mar 2008 12:59:48 +0100
just to confirm that the patch works.
Is there any chance to including it in lenny ?




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#336138; Package liblzo1. (Sun, 29 Jul 2012 10:00:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Andreas Kuckartz" <A.Kuckartz@ping.de>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. (Sun, 29 Jul 2012 10:00:12 GMT) Full text and rfc822 format available.

Message #52 received at 336138@bugs.debian.org (full text, mbox):

From: "Andreas Kuckartz" <A.Kuckartz@ping.de>
To: 336138@bugs.debian.org
Subject: Any news?
Date: 29 Jul 2012 11:53:07 +0200
Ping!

This issue was reported almost seven years ago and patches have been
sent by two people five years ago.

Markus F.X.J. Oberhumer" <markus@oberhumer.com> stated that "The
necessary .note.GNU-stack sections for the assembler sources will be
included in the upcoming LZO 2.03 release." Version 2.03 is in Debian
stable.

Is this still an open issue?

I noticed this issue because it is mentioned on this page:
http://wiki.debian.org/SELinux/Issues



Marked Bug as done Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Wed, 08 May 2013 11:27:12 GMT) Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. (Wed, 08 May 2013 11:27:13 GMT) Full text and rfc822 format available.

Message sent on to Russell Coker <russell@coker.com.au>:
Bug#336138. (Wed, 08 May 2013 11:27:16 GMT) Full text and rfc822 format available.

Message #59 received at 336138-submitter@bugs.debian.org (full text, mbox):

From: Laurent Bigonville <bigon@debian.org>
To: control@bugs.debian.org
Cc: 336138-submitter@bugs.debian.org
Subject: closing 336138
Date: Wed, 08 May 2013 13:21:59 +0200
close 336138 
thanks

Hi,

The lzo package has been removed from the archive in March 2009. I'm closing
this bug report.

Cheers

Laurent Bigonville




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 06 Jun 2013 07:28:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 04:05:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.