Debian Bug report logs - #445595
libsmpeg0: libsmpeg-0.4.so.0.1.4 is falsely reported as needing an executable stack

version graph

Package: libsmpeg0; Maintainer for libsmpeg0 is Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>; Source for libsmpeg0 is src:smpeg.

Reported by: Russell Coker <russell@coker.com.au>

Date: Sun, 7 Oct 2007 07:54:04 UTC

Severity: normal

Found in version smpeg/0.4.5+cvs20030824-1.9

Fixed in versions smpeg/0.4.5+cvs20030824-2.1, smpeg/0.4.5+cvs20030824-2.2

Done: Russell Coker <russell@coker.com.au>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#445595; Package libsmpeg0. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libsmpeg0: libsmpeg-0.4.so.0.1.4 is falsely reported as needing an executable stack
Date: Sun, 07 Oct 2007 17:27:49 +1000
Package: libsmpeg0
Version: 0.4.5+cvs20030824-1.9
Severity: normal

"execstack -q /usr/lib/libsmpeg-0.4.so.0.1.4" reports that the shared object
requests an executable stack (via the 'X' in the output).

The below patch when applied to the source instructs the assembler that to
include a note that an executable stack is not needed.  This is required on
systems running SE Linux.


diff -ru t/smpeg-0.4.5+cvs20030824/video/mmxflags_asm.S smpeg-0.4.5+cvs20030824/video/mmxflags_asm.S
--- t/smpeg-0.4.5+cvs20030824/video/mmxflags_asm.S	2000-04-06 09:12:20.000000000 +1000
+++ smpeg-0.4.5+cvs20030824/video/mmxflags_asm.S	2007-10-07 17:17:46.000000000 +1000
@@ -1,4 +1,6 @@
 
+.section .note.GNU-stack,"",@progbits
+
 #if defined(i386) && defined(USE_MMX)
 
 .data
diff -ru t/smpeg-0.4.5+cvs20030824/video/mmxidct_asm.S smpeg-0.4.5+cvs20030824/video/mmxidct_asm.S
--- t/smpeg-0.4.5+cvs20030824/video/mmxidct_asm.S	2000-04-06 09:12:20.000000000 +1000
+++ smpeg-0.4.5+cvs20030824/video/mmxidct_asm.S	2007-10-07 17:17:51.000000000 +1000
@@ -1,4 +1,5 @@
 
+.section .note.GNU-stack,"",@progbits
 
 #if defined(i386) && defined(USE_MMX)
 

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-xen-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages libsmpeg0 depends on:
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libsdl1.2debian        1.2.11-8          Simple DirectMedia Layer
ii  libstdc++6             4.1.1-21          The GNU Standard C++ Library v3

libsmpeg0 recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#445595; Package libsmpeg0. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 445595@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 445595@bugs.debian.org
Subject: both i386 and amd64 at least
Date: Sat, 19 Apr 2008 14:57:12 +1100
I initially reported this bug against the i386 platform.  I have since 
reproduced it (and tested the fix) on amd64.

It probably happens on other platforms too.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#445595; Package libsmpeg0. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 445595@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 445595@bugs.debian.org
Subject: Let's fix this for Lenny
Date: Sun, 10 Aug 2008 20:43:08 +1000
This is a two line patch that makes no actual code changes (it just changes 
the labelling of the shared object header).  The result of this change is the 
same as running "execstack -c" on the shared object.

This patch improves system security.  Without it any program that links to 
that shared object (or any shared object that depends on it) will run with an 
executable stack.

For example here is the difference in output between "paxtest kiddie" 
and "LD_PRELOAD=/usr/lib/libsmpeg-0.4.so.0 paxtest kiddie":

< Executable stack                         : Killed
---
> Executable stack                         : Vulnerable

While it seems unlikely that someone would use LD_PRELOAD in such a manner in 
any realistic attack situation, it is a good demonstration of the result of 
having the shared object in question linked to the executable.

With my patch applied the result is that the "Executable stack" test gives a 
result of "Killed".  NB paxtest is an i386 only package, but I believe that 
the same result applies to AMD64.

It would be quite embarrassing if Lenny was vulnerable to a security problem 
because of this with the patch in the BTS for almost a year.

Would you like me to NMU it?




Reply sent to Russell Coker <russell@coker.com.au>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 445595-close@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 445595-close@bugs.debian.org
Subject: Bug#445595: fixed in smpeg 0.4.5+cvs20030824-2.1
Date: Mon, 25 Aug 2008 12:47:06 +0000
Source: smpeg
Source-Version: 0.4.5+cvs20030824-2.1

We believe that the bug you reported is fixed in the latest version of
smpeg, which is due to be installed in the Debian FTP archive:

libsmpeg-dev_0.4.5+cvs20030824-2.1_i386.deb
  to pool/main/s/smpeg/libsmpeg-dev_0.4.5+cvs20030824-2.1_i386.deb
libsmpeg0_0.4.5+cvs20030824-2.1_i386.deb
  to pool/main/s/smpeg/libsmpeg0_0.4.5+cvs20030824-2.1_i386.deb
smpeg-gtv_0.4.5+cvs20030824-2.1_i386.deb
  to pool/main/s/smpeg/smpeg-gtv_0.4.5+cvs20030824-2.1_i386.deb
smpeg-plaympeg_0.4.5+cvs20030824-2.1_i386.deb
  to pool/main/s/smpeg/smpeg-plaympeg_0.4.5+cvs20030824-2.1_i386.deb
smpeg_0.4.5+cvs20030824-2.1.diff.gz
  to pool/main/s/smpeg/smpeg_0.4.5+cvs20030824-2.1.diff.gz
smpeg_0.4.5+cvs20030824-2.1.dsc
  to pool/main/s/smpeg/smpeg_0.4.5+cvs20030824-2.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Coker <russell@coker.com.au> (supplier of updated smpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 11:56:14 +0000
Source: smpeg
Binary: libsmpeg0 libsmpeg-dev smpeg-plaympeg smpeg-gtv
Architecture: source i386
Version: 0.4.5+cvs20030824-2.1
Distribution: unstable
Urgency: low
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Russell Coker <russell@coker.com.au>
Description: 
 libsmpeg-dev - SDL MPEG Player Library - development files
 libsmpeg0  - SDL MPEG Player Library - shared libraries
 smpeg-gtv  - SMPEG GTK+ MPEG audio/video player
 smpeg-plaympeg - SMPEG command line MPEG audio/video player
Closes: 445595
Changes: 
 smpeg (0.4.5+cvs20030824-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Build with a 2 line patch to not need an executable stack.
     Closes: #445595
     For background see:
     http://etbe.coker.com.au/2008/08/11/executable-stacks-lenny/
Checksums-Sha1: 
 6f776a66b9e6607903e1b7ded375645c2c6ae92f 1259 smpeg_0.4.5+cvs20030824-2.1.dsc
 d42eb0a6e6040f366a2c59406f6e45b3c070576c 309878 smpeg_0.4.5+cvs20030824-2.1.diff.gz
 bb6fa4c08d4246fd12408f638934105ec2090569 103366 libsmpeg0_0.4.5+cvs20030824-2.1_i386.deb
 1ef66cab8a38d5a915d0fa961899423c5d0e9c3a 115498 libsmpeg-dev_0.4.5+cvs20030824-2.1_i386.deb
 1a961bc123b6438c4457925eba74abaf4f09b7b8 23910 smpeg-plaympeg_0.4.5+cvs20030824-2.1_i386.deb
 e51419a15588469c3c8748a59c0e26a9201e14eb 27820 smpeg-gtv_0.4.5+cvs20030824-2.1_i386.deb
Checksums-Sha256: 
 4c8e5d51bb314ee3668c73ab4dfd93f59291eeb1f198ff4f680e4b57d0d42dd8 1259 smpeg_0.4.5+cvs20030824-2.1.dsc
 763827ac3f05d24eae4e49c18d45202ceef5ab6ff62e67b34b554d58aaa0468e 309878 smpeg_0.4.5+cvs20030824-2.1.diff.gz
 b46388240c37df3463ed120dd2b8a42e9b4120f5f8a004306c7616164cf75ce9 103366 libsmpeg0_0.4.5+cvs20030824-2.1_i386.deb
 9a86d41ca801dafe3e9ee3d616e4fe021b1d9ab6bfe07578d735c579b89a6ab7 115498 libsmpeg-dev_0.4.5+cvs20030824-2.1_i386.deb
 ee808d577fae6dd4470d965feb068af2e0a526e1a5ff70b71f3615e1f22c1006 23910 smpeg-plaympeg_0.4.5+cvs20030824-2.1_i386.deb
 676597533551bb8dbfd7a33db5c71a1004895a0373b9cb0808d8b9704619aae6 27820 smpeg-gtv_0.4.5+cvs20030824-2.1_i386.deb
Files: 
 aee9e921973bc66adabda72c942077c5 1259 libs optional smpeg_0.4.5+cvs20030824-2.1.dsc
 d492c469e047eaddb2f348f14db2ec14 309878 libs optional smpeg_0.4.5+cvs20030824-2.1.diff.gz
 62df051bf25867dca881767e33da1ea3 103366 libs optional libsmpeg0_0.4.5+cvs20030824-2.1_i386.deb
 844dd01ba8b3954784094aff1dd32c7d 115498 libdevel optional libsmpeg-dev_0.4.5+cvs20030824-2.1_i386.deb
 44bf3099ce37f8ef8933c61a7d3f264f 23910 graphics optional smpeg-plaympeg_0.4.5+cvs20030824-2.1_i386.deb
 09861b37045f1b3f46af84386e31c491 27820 graphics optional smpeg-gtv_0.4.5+cvs20030824-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIsqjawrB5/PXHUlYRAn1gAJ9epn33nxYtSSBpSxZ/OwAuqbJgFACbBM5W
GTfkSwy1wMw/91o4/bDSb0w=
=aLWl
-----END PGP SIGNATURE-----





Reply sent to Russell Coker <russell@coker.com.au>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 445595-close@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 445595-close@bugs.debian.org
Subject: Bug#445595: fixed in smpeg 0.4.5+cvs20030824-2.2
Date: Wed, 10 Sep 2008 07:47:29 +0000
Source: smpeg
Source-Version: 0.4.5+cvs20030824-2.2

We believe that the bug you reported is fixed in the latest version of
smpeg, which is due to be installed in the Debian FTP archive:

libsmpeg-dev_0.4.5+cvs20030824-2.2_i386.deb
  to pool/main/s/smpeg/libsmpeg-dev_0.4.5+cvs20030824-2.2_i386.deb
libsmpeg0_0.4.5+cvs20030824-2.2_i386.deb
  to pool/main/s/smpeg/libsmpeg0_0.4.5+cvs20030824-2.2_i386.deb
smpeg-gtv_0.4.5+cvs20030824-2.2_i386.deb
  to pool/main/s/smpeg/smpeg-gtv_0.4.5+cvs20030824-2.2_i386.deb
smpeg-plaympeg_0.4.5+cvs20030824-2.2_i386.deb
  to pool/main/s/smpeg/smpeg-plaympeg_0.4.5+cvs20030824-2.2_i386.deb
smpeg_0.4.5+cvs20030824-2.2.diff.gz
  to pool/main/s/smpeg/smpeg_0.4.5+cvs20030824-2.2.diff.gz
smpeg_0.4.5+cvs20030824-2.2.dsc
  to pool/main/s/smpeg/smpeg_0.4.5+cvs20030824-2.2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russell Coker <russell@coker.com.au> (supplier of updated smpeg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Sep 2008 17:13:23 +1000
Source: smpeg
Binary: libsmpeg0 libsmpeg-dev smpeg-plaympeg smpeg-gtv
Architecture: source i386
Version: 0.4.5+cvs20030824-2.2
Distribution: unstable
Urgency: high
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Russell Coker <russell@coker.com.au>
Description: 
 libsmpeg-dev - SDL MPEG Player Library - development files
 libsmpeg0  - SDL MPEG Player Library - shared libraries
 smpeg-gtv  - SMPEG GTK+ MPEG audio/video player
 smpeg-plaympeg - SMPEG command line MPEG audio/video player
Closes: 445595
Changes: 
 smpeg (0.4.5+cvs20030824-2.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Build with a 2 line patch to not need an executable stack, new version of
     the patch to use the latest version of progbits.
     Closes: #445595
     For background see:
     http://etbe.coker.com.au/2008/08/11/executable-stacks-lenny/
Checksums-Sha1: 
 77adefe0a0c96246dcc1b3655d8a17c8e2428a25 1259 smpeg_0.4.5+cvs20030824-2.2.dsc
 cfc55e6a08a7c1432fa027837b45db4b05f18d02 309907 smpeg_0.4.5+cvs20030824-2.2.diff.gz
 41db3d565b110427e62929ee9fb1969d91684baa 103328 libsmpeg0_0.4.5+cvs20030824-2.2_i386.deb
 4d119a1fbda8542e5264d8d1d2c1e95dbe7e3870 115392 libsmpeg-dev_0.4.5+cvs20030824-2.2_i386.deb
 20e7cc2a62b3e0a796b4336570e0b04350d54b17 23960 smpeg-plaympeg_0.4.5+cvs20030824-2.2_i386.deb
 e0b547f0713d0c1e78c0d07cc34390f4608f90df 27840 smpeg-gtv_0.4.5+cvs20030824-2.2_i386.deb
Checksums-Sha256: 
 a8af2345419442d295a856b4bb3cffbb68921f23a84a497445e45a82af16fd47 1259 smpeg_0.4.5+cvs20030824-2.2.dsc
 ab67470c7659eb91076f93184e2ada6300d9f1159c0d9c518f7d7a3221cf1fd7 309907 smpeg_0.4.5+cvs20030824-2.2.diff.gz
 dae6f3dd0cf0dc0d7d4ad07e581910d96d471f738345552bcd9edd9d77cc41c3 103328 libsmpeg0_0.4.5+cvs20030824-2.2_i386.deb
 8c84a4841bc14bef8149b86518965976b0d7b8e00c2b1cd9186507f7e6b13eda 115392 libsmpeg-dev_0.4.5+cvs20030824-2.2_i386.deb
 df2dcdfaecd6ae7131f270cb5634d3f8e2b4ba41425fe751ae18d0aee3ee0335 23960 smpeg-plaympeg_0.4.5+cvs20030824-2.2_i386.deb
 262306a3c9c7da179f2dce228f4401613673e66fa279195653e42b42966acbdf 27840 smpeg-gtv_0.4.5+cvs20030824-2.2_i386.deb
Files: 
 1045ef81a115993ed6fa4ccdd558e0fc 1259 libs optional smpeg_0.4.5+cvs20030824-2.2.dsc
 74bacab2f3ec2bede8649e38c376b2e3 309907 libs optional smpeg_0.4.5+cvs20030824-2.2.diff.gz
 c6ea64e535c527056113d958597c9cfa 103328 libs optional libsmpeg0_0.4.5+cvs20030824-2.2_i386.deb
 5676ddd82c120fbd36154542d8b94dc8 115392 libdevel optional libsmpeg-dev_0.4.5+cvs20030824-2.2_i386.deb
 a74faa8b727a819c31c6f4770567a07e 23960 graphics optional smpeg-plaympeg_0.4.5+cvs20030824-2.2_i386.deb
 4e16844914a73a4de52d959dafa8b5b0 27840 graphics optional smpeg-gtv_0.4.5+cvs20030824-2.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIx3cpwrB5/PXHUlYRAmYKAJ4+uEbNf/jKuxq4iuM+hdc0exHjYACaApoh
WcLFGKilus7Db2TRQT8vqQA=
=nPl2
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 09 Oct 2008 07:31:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:15:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.