NetBSD Problem Report #54555
From www@netbsd.org Tue Sep 17 16:43:46 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 90A967A156
for <gnats-bugs@gnats.NetBSD.org>; Tue, 17 Sep 2019 16:43:46 +0000 (UTC)
Message-Id: <20190917164345.6D94E7A1D6@mollari.NetBSD.org>
Date: Tue, 17 Sep 2019 16:43:45 +0000 (UTC)
From: jdbaker@consolidated.net
Reply-To: jdbaker@consolidated.net
To: gnats-bugs@NetBSD.org
Subject: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and text relocations on netbsd-9/i386
X-Send-Pr-Version: www-1.0
>Number: 54555
>Category: pkg
>Synopsis: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and text relocations on netbsd-9/i386
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 17 16:45:00 +0000 2019
>Closed-Date: Tue Oct 22 23:54:09 +0000 2019
>Last-Modified: Tue Oct 22 23:54:09 +0000 2019
>Originator: John D. Baker
>Release: NetBSD/i386-9.0_BETA, pkgsrc-HEAD (20190917, pending pkgsrc-2019Q3)
>Organization:
>Environment:
NetBSD slate.technoskunk.fur 9.0_BETA NetBSD 9.0_BETA (SLATE) #13: Sat Sep 14 02:41:22 CDT 2019 sysop@plex760.technoskunk.fur:/r0/build/netbsd-9/obj/i386/sys/arch/i386/compile/SLATE i386
>Description:
Following the update of "security/gnutls" to v3.6.9, the package itself
builds and installs, but when used later during other package builds,
it fails. E.g., while building "print/cups-base":
[...]
Generating localization strings...
/d0/build/pkgsrc/print/cups-base/work/.buildlink/lib/libgnutls.so.30: text relocations
/d0/build/pkgsrc/print/cups-base/work/.buildlink/lib/libgnutls.so.30: Cannot write-enable text segment: Permission denied
gmake[1]: *** [Makefile:191: genstrings] Error 1
gmake: *** [Makefile:38: all] Error 1
*** Error code 2
Stop.
make[1]: stopped in /d0/nbsd/pkgsrc/print/cups-base
*** Error code 1
Stop.
make: stopped in /d0/nbsd/pkgsrc/print/cups-base
The previous version did not exhibit this problem on i386.
>How-To-Repeat:
Update to gnutls-3.6.9 on NetBSD/i386-9.0_BETA (also HEAD and probably
8.x as well).
Attempt to run anything that uses "libgnutls.so.30", such as building
"print/cups-base".
>Fix:
Workaround: for the case of "print/cups-base", run 'make configure'
then edit ${WRKSRC}/ppdc/Makefile "genstrings" target to include:
paxctl +m .libs/genstrings
after the link command (before the message "Generating localization
strings"
Probably need something similar for any package that builds a local tool
linked against libgnutl.so*.
>Release-Note:
>Audit-Trail:
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386
Date: Thu, 19 Sep 2019 18:04:22 -0500 (CDT)
The following patch allows "print/cups-base" to build on i386:
+--- ppdc/Makefile.orig 2019-08-15 17:35:30.000000000 -0500
++++ ppdc/Makefile 2019-09-19 17:34:22.771779431 -0500
+@@ -189,6 +189,7 @@ genstrings: genstrings.o libcupsppdc.a
+ $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o genstrings genstrings.o \
+ libcupsppdc.a ../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) \
+ $(DNSSDLIBS) $(COMMONLIBS) $(LIBZ)
++ paxctl +m .libs/$@
+ echo Generating localization strings...
+ ./genstrings >sample.c
+
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386
Date: Sun, 29 Sep 2019 10:48:50 -0500 (CDT)
On i386-current (9.99.12), "gimp", "sane-frontends" and "xsane" all fail
in the configure phase claiming not to have found "glib-networking"
(gimp example):
checking for glib-networking (GIO TLS implementation)... no
configure: Eeeeeeeeeeeeeeeeeeeeek! Missing dep: glib-networking
[...]
Error: GIMP configuration failed.
- Error: missing dependency glib-networking
*** Test for glib-networking failed. This is required.
See the file 'INSTALL' for more help.
*** Error code 1
Stop.
make[1]: stopped in /x/pkgsrc/graphics/gimp
*** Error code 1
Stop.
make: stopped in /x/pkgsrc/graphics/gimp
although "glib-networking" is installed and up to date.
Looking at gimp's config.log file shows this is more i386-gnutls fallout
(PR pkg/54555):
[...]
configure:24128: checking for glib-networking (GIO TLS implementation)
configure:24148: gcc -o conftest -O2 -D_FORTIFY_SOURCE=2 -I/usr/pkg/include -I/usr/include -I/usr/X11R7/include/freetype2 -I/usr/X11R7/include -I/usr/pkg/include/glib-2.0 -I/usr/pkg/include/gio-unix-2.0 -I/usr/pkg/lib/glib-2.0/include -Wall -Wdeclaration-after-statement -Wmissing-prototypes -Werror=missing-prototypes -Wmissing-declarations -Winit-self -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wlogical-op -Wtype-limits -fno-common -fdiagnostics-show-option -Wreturn-type -I/usr/pkg/include -I/usr/pkg/include/glib-2.0 -I/usr/pkg/lib/glib-2.0/include -pthread -I/usr/pkg/include -I/usr/include -I/usr/X11R7/include/freetype2 -I/usr/X11R7/include -I/usr/pkg/include/glib-2.0 -I/usr/pkg/include/gio-unix-2.0 -I/usr/pkg/lib/glib-2.0/include -Wl,-E -L/usr/pkg/lib -Wl,-R/usr/pkg/lib -L/usr/lib -Wl,-R/usr/lib -L/usr/X11R7/lib -Wl,-R/usr/X11R7/lib conftest.c -lexecinfo -L/usr/pkg/lib -lgio-2.0 -lgobject-2.0 -lintl -Wl,-R/usr/pkg/lib -lglib-2.0 >&5
configure:24148: $? = 0
configure:24148: ./conftest
/usr/pkg/lib/libgnutls.so.30: text relocations
/usr/pkg/lib/libgnutls.so.30: Cannot write-enable text segment: Permission denied
Failed to load module: /usr/pkg/lib/gio/modules/libgiognutls.so
configure:24148: $? = 1
configure: program exited with status 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME "GIMP"
| #define PACKAGE_TARNAME "gimp"
| #define PACKAGE_VERSION "2.10.12"
| #define PACKAGE_STRING "GIMP 2.10.12"
| #define PACKAGE_BUGREPORT "https://gitlab.gnome.org/GNOME/gimp/issues/new"
| #define PACKAGE_URL ""
| #define GIMP_PKGCONFIG_VERSION "2.0"
| #define GIMP_TOOL_VERSION "2.0"
| #define GETTEXT_PACKAGE "gimp20"
| #define HAVE_CXX14 1
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| #define LT_OBJDIR ".libs/"
| #define ARCH_X86 1
| #define STDC_HEADERS 1
| #define HAVE_SYS_WAIT_H 1
| #define TIME_WITH_SYS_TIME 1
| #define HAVE_EXECINFO_H 1
| #define HAVE_FCNTL_H 1
| #define HAVE_SYS_PARAM_H 1
| #define HAVE_SYS_TIME_H 1
| #define HAVE_SYS_TIMES_H 1
| #define HAVE_SYS_WAIT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_LIBEXECINFO 1
| #define HAVE_VPRINTF 1
| #define HAVE_ALLOCA 1
| #define HAVE_FSYNC 1
| #define HAVE_DIFFTIME 1
| #define HAVE_MMAP 1
| #define HAVE_LOCALE_H 1
| #define HAVE_LC_MESSAGES 1
| #define HAVE_BIND_TEXTDOMAIN_CODESET 1
| #define HAVE_GETTEXT 1
| #define HAVE_DCGETTEXT 1
| #define ENABLE_NLS 1
| /* end confdefs.h. */
| #include <gio/gio.h>
| int
| main ()
| {
| return !g_tls_backend_supports_tls (g_tls_backend_get_default ());
| ;
| return 0;
| }
configure:24159: result: no
configure:24164: Eeeeeeeeeeeeeeeeeeeeek! Missing dep: glib-networking
[...]
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386
Date: Mon, 30 Sep 2019 09:37:27 +0000
A commit in another package manager suggests an update to gnutls will
fix this issue.
State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Mon, 30 Sep 2019 09:51:54 +0000
State-Changed-Why:
please re-test
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54555 CVS commit: pkgsrc/security/gnutls
Date: Mon, 30 Sep 2019 09:51:16 +0000
Module Name: pkgsrc
Committed By: maya
Date: Mon Sep 30 09:51:16 UTC 2019
Modified Files:
pkgsrc/security/gnutls: Makefile distinfo
Added Files:
pkgsrc/security/gnutls/patches: patch-cfg.mk
patch-lib_accelerated_x86_elf_aesni-x86.s
Log Message:
gnutls: backport upstream commit to avoid text relocations on i386.
Regenerate asm files with -fPIC
PR pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.200 -r1.201 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.138 -r1.139 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-cfg.mk \
pkgsrc/security/gnutls/patches/patch-lib_accelerated_x86_elf_aesni-x86.s
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54555 (security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386)
Date: Tue, 22 Oct 2019 12:39:20 -0500 (CDT)
On Mon, 30 Sep 2019, maya@NetBSD.org wrote:
> State-Changed-From-To: open->feedback
> State-Changed-By: maya@NetBSD.org
> State-Changed-When: Mon, 30 Sep 2019 09:51:54 +0000
> State-Changed-Why:
> please re-test
Following update and rebuilding gnutls, building cups-base succeeded
without needing the previously-posted patch.
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 22 Oct 2019 23:54:09 +0000
State-Changed-Why:
Confirmed fixed. thanks for freebsd ports for making me realize upstream has a fix for it while I idly read commits on other projects. thanks gnutls for actually fixing it. thanks debian for telling gnutls to fix it. thanks for reporting it.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home