Archives

Categories

Lintian and Executable Stacks

Debian has a program called Lintian that is used to search for common bugs in Debian packages. When it encounters a package with a shared object that requests an executable stack (as described in my previous post about executable stacks and shared objects [1]) it gives a warning such as the following:
W: liblzo1: shlib-with-executable-stack usr/lib/liblzo.so.1.0.0

Lintian is run automatically on Debian servers and has a web site at http://lintian.debian.org/. You can search the site for all packages which have such executable stacks [2].

Of all the packages listed I have only two installed on my system, liblzo1 and libsmpeg0, both of which I had already discovered and built new versions with the correct stack settings (I’ll publish an APT repository shortly). For the rest I am not sure whether they are really bugs. The ones that concern me are xserver-xorg-video-nsc (we don’t want a stack smashing attack on something as important as an X server) and the C libraries libuclibc0 and dietlibc which may cause many programs to run with an executable stack.

The above URL shows that libffcall1 [4] has this problem (as Eddy discovered [5]). Eddy filed Debian bug report 445895 [6] about this problem (I have just updated the bug report with a patch to make it work on i386).

Linda (an alternative to Lintian) does not currently warn about this. I have filed Debian bug report 445826 about this [3].

1 comment to Lintian and Executable Stacks

  • […] This entry was posted on Wednesday, October 10th, 2007 at 8:00 pm, for similar articles see the category Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. « Lintian and Executable Stacks […]