GPG binary is marked PT_GNU_STACK RWE
Closed, ResolvedPublic

Description

Release: 1.4.0

Environment

Linux, Fedora Core Rawhide, x86

Description

The gpg binary is marked PT_GNU_STACK RWE.
This creates trouble when it is to be a used in an environment that places restrictions on executable stack. One such environment is the SELinux strict policy in Fedora Core.

I believe as of today (March 10) Fedora patched this
in their own rpm to not require executable stack, but
it has been advised on gpg-devel that gpg must be checked
on all architectures to verify whether it requires exec-stack or not.

Attaching Fedora's SRPM patch.

Release Note

Option --enable-noexecstack added to CVS released with 1.4.1

Related Objects

werner added a subscriber: werner.Mar 10 2005, 12:14 PM

We can implement this with an extra configure option.

The better solution would be to come up with an autoconf
test to check whether as(1) understands the noexecstack option.

I implemented a configure option --enable-noexecstack and did some tests.on ia32 with mpih-add1.S:

Without the option there is no ".note.GNU-stack" section in the object file at all. I am not sure what the runtime loader does with it.

With --execstack passed to as, that section is there and flagged as executable.

With --noexecstack passed to as, that section is there but not flagged as executable. As expected.

It seems that the missing section indicates an executable stack as proved by readelf -l gpg | grep STACK:
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE x4
With the option in place the last line reads:
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW x4

Added configure option for now

ivg2@cornell.edu reported success with 1.4.1

werner closed this task as Resolved.Apr 20 2005, 4:35 PM