Page MenuHome GnuPG

GPG binary is marked PT_GNU_STACK RWE
Closed, ResolvedPublic

Description

Release: 1.4.0

Environment

Linux, Fedora Core Rawhide, x86

Description

The gpg binary is marked PT_GNU_STACK RWE.
This creates trouble when it is to be a used in an environment that places restrictions on executable stack. One such environment is the SELinux strict policy in Fedora Core.

I believe as of today (March 10) Fedora patched this
in their own rpm to not require executable stack, but
it has been advised on gpg-devel that gpg must be checked
on all architectures to verify whether it requires exec-stack or not.

Attaching Fedora's SRPM patch.

Release Note

Option --enable-noexecstack added to CVS released with 1.4.1

Related Objects

Event Timeline

We can implement this with an extra configure option.

The better solution would be to come up with an autoconf
test to check whether as(1) understands the noexecstack option.

I implemented a configure option --enable-noexecstack and did some tests.on ia32 with mpih-add1.S:

Without the option there is no ".note.GNU-stack" section in the object file at all. I am not sure what the runtime loader does with it.

With --execstack passed to as, that section is there and flagged as executable.

With --noexecstack passed to as, that section is there but not flagged as executable. As expected.

It seems that the missing section indicates an executable stack as proved by readelf -l gpg | grep STACK:
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE x4
With the option in place the last line reads:
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW x4

Added configure option for now

ivg2@cornell.edu reported success with 1.4.1