Debian has a program called Lintian that is used to search for common bugs in Debian packages. When it encounters a package with a shared object that requests an executable stack (as described in my previous post about executable stacks and shared objects [1]) it gives a warning such as the following:
W: liblzo1: shlib-with-executable-stack usr/lib/liblzo.so.1.0.0
Lintian is run automatically on Debian servers and has a web site at http://lintian.debian.org/. You can search the site for all packages which have such executable stacks [2].
Of all the packages listed I have only two installed on my system, liblzo1 and libsmpeg0, both of which I had already discovered and built new versions with the correct stack settings (I’ll publish an APT repository shortly). For the rest I am not sure whether they are really bugs. The ones that concern me are xserver-xorg-video-nsc (we don’t want a stack smashing attack on something as important as an X server) and the C libraries libuclibc0 and dietlibc which may cause many programs to run with an executable stack.
The above URL shows that libffcall1 [4] has this problem (as Eddy discovered [5]). Eddy filed Debian bug report 445895 [6] about this problem (I have just updated the bug report with a patch to make it work on i386).
Linda (an alternative to Lintian) does not currently warn about this. I have filed Debian bug report 445826 about this [3].
- [1] http://etbe.coker.com.au/2007/10/07/executable-stack-and-shared-objects/
- [2] http://lintian.debian.org/reports/Tshlib-with-executable-stack.html
- [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445826
- [4] http://lintian.debian.org/reports/mHubert_Chan.html#libffcall1
- [5] http://ramblingfoo.blogspot.com/2007/10/selinux-is-enabled-now-what.html
- [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445895
[…] This entry was posted on Wednesday, October 10th, 2007 at 8:00 pm, for similar articles see the category Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. « Lintian and Executable Stacks […]