NetBSD Problem Report #51490

From gcw@primenet.com.au  Tue Sep 20 06:10:21 2016
Return-Path: <gcw@primenet.com.au>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 010467A166
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 20 Sep 2016 06:10:20 +0000 (UTC)
Message-Id: <20160920061014.28220.qmail@g.primenet.com.au>
Date: 20 Sep 2016 16:10:14 +1000
From: gcw@primenet.com.au
Reply-To: gcw@primenet.com.au
To: gnats-bugs@NetBSD.org
Subject: python (2.7) crashes running certbot unless PaX MPROTECT is disabled 
X-Send-Pr-Version: 3.95

>Number:         51490
>Category:       pkg
>Synopsis:       python (2.7) needs PaX MPROTECT disabled for some programs
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 20 06:15:00 +0000 2016
>Closed-Date:    Tue Jun 13 15:58:08 +0000 2017
>Last-Modified:  Tue Jun 13 15:58:08 +0000 2017
>Originator:     gcw@primenet.com.au
>Release:        NetBSD 7.99.36
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 7.99.36 NetBSD 7.99.36 (F) #4: Mon Sep 12 18:53:33 AEST 2016 gcw@g.primenet.com.au:/obj/OBJDIR64/sys/arch/amd64/compile/F amd64
Architecture: x86_64
Machine: amd64
>Description:
	Running certbot (security/py-cerbot) crashes python unless
	PaX mprotect is disabled.

	(Have not checked how well other python versions run).
>How-To-Repeat:
	Install certbot, get some certs and run "certbot renew".
>Fix:

Index: lang/python27/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/lang/python27/Makefile,v
retrieving revision 1.67
diff -u -r1.67 Makefile
--- lang/python27/Makefile	26 Jul 2016 16:45:33 -0000	1.67
+++ lang/python27/Makefile	20 Sep 2016 05:56:31 -0000
@@ -213,6 +213,8 @@

 BUILDLINK_DEPMETHOD.readline=		build

+NOT_PAX_MPROTECT_SAFE+=	bin/python2.7
+
 .include "../../archivers/bzip2/buildlink3.mk"
 .include "../../devel/gettext-lib/buildlink3.mk"
 .include "../../devel/libffi/buildlink3.mk"

>Release-Note:

>Audit-Trail:
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX
 MPROTECT is disabled
Date: Thu, 22 Sep 2016 02:35:19 +0200

 On Tue, Sep 20, 2016 at 06:15:00AM +0000, gcw@primenet.com.au wrote:
 > 	Running certbot (security/py-cerbot) crashes python unless
 > 	PaX mprotect is disabled.

 I'm strongly against this. Just because some modules are doing strange
 things doesn't mean the main interpreter should get all the benefits
 disabled.

 Joerg

From: christos@zoulas.com (Christos Zoulas)
To: Joerg Sonnenberger <joerg@bec.de>, gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX MPROTECT is disabled
Date: Wed, 21 Sep 2016 23:00:30 -0400

 On Sep 22,  2:35am, joerg@bec.de (Joerg Sonnenberger) wrote:
 -- Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX MP

 | On Tue, Sep 20, 2016 at 06:15:00AM +0000, gcw@primenet.com.au wrote:
 | > 	Running certbot (security/py-cerbot) crashes python unless
 | > 	PaX mprotect is disabled.
 | 
 | I'm strongly against this. Just because some modules are doing strange
 | things doesn't mean the main interpreter should get all the benefits
 | disabled.

 Yes, this is not acceptable. cvs update and re-install devel/py-cffi and
 try it again.

 christos

From: Geoff Wing <gcw@pobox.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX
 MPROTECT is disabled
Date: Sat, 24 Sep 2016 14:21:39 +1000

 On Thursday 2016-09-22 03:05 +0000, Christos Zoulas output:
 : Yes, this is not acceptable. cvs update and re-install devel/py-cffi and
 : try it again.

 py-certbot runs OK if there are no certs to renew.  Haven't checked fully.

State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 13 Jun 2017 15:54:02 +0000
State-Changed-Why:
Please retry with NetBSD > 7.99.73 and libffi-3.2.1nb3. I believe joerg has fixed this with the following commits:
http://mail-index.netbsd.org/source-changes/2017/05/06/msg084237.html
http://mail-index.netbsd.org/pkgsrc-changes/2017/05/26/msg157302.html


State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 13 Jun 2017 15:58:08 +0000
State-Changed-Why:
Didn't read the reply which said py-certbot already works. other programs using python were also suffering from it, and the commit fixes those, too. (I had issues with 'meld')


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.