NetBSD Problem Report #51490
From gcw@primenet.com.au Tue Sep 20 06:10:21 2016
Return-Path: <gcw@primenet.com.au>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 010467A166
for <gnats-bugs@gnats.NetBSD.org>; Tue, 20 Sep 2016 06:10:20 +0000 (UTC)
Message-Id: <20160920061014.28220.qmail@g.primenet.com.au>
Date: 20 Sep 2016 16:10:14 +1000
From: gcw@primenet.com.au
Reply-To: gcw@primenet.com.au
To: gnats-bugs@NetBSD.org
Subject: python (2.7) crashes running certbot unless PaX MPROTECT is disabled
X-Send-Pr-Version: 3.95
>Number: 51490
>Category: pkg
>Synopsis: python (2.7) needs PaX MPROTECT disabled for some programs
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 20 06:15:00 +0000 2016
>Closed-Date: Tue Jun 13 15:58:08 +0000 2017
>Last-Modified: Tue Jun 13 15:58:08 +0000 2017
>Originator: gcw@primenet.com.au
>Release: NetBSD 7.99.36
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 7.99.36 NetBSD 7.99.36 (F) #4: Mon Sep 12 18:53:33 AEST 2016 gcw@g.primenet.com.au:/obj/OBJDIR64/sys/arch/amd64/compile/F amd64
Architecture: x86_64
Machine: amd64
>Description:
Running certbot (security/py-cerbot) crashes python unless
PaX mprotect is disabled.
(Have not checked how well other python versions run).
>How-To-Repeat:
Install certbot, get some certs and run "certbot renew".
>Fix:
Index: lang/python27/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/lang/python27/Makefile,v
retrieving revision 1.67
diff -u -r1.67 Makefile
--- lang/python27/Makefile 26 Jul 2016 16:45:33 -0000 1.67
+++ lang/python27/Makefile 20 Sep 2016 05:56:31 -0000
@@ -213,6 +213,8 @@
BUILDLINK_DEPMETHOD.readline= build
+NOT_PAX_MPROTECT_SAFE+= bin/python2.7
+
.include "../../archivers/bzip2/buildlink3.mk"
.include "../../devel/gettext-lib/buildlink3.mk"
.include "../../devel/libffi/buildlink3.mk"
>Release-Note:
>Audit-Trail:
From: Joerg Sonnenberger <joerg@bec.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX
MPROTECT is disabled
Date: Thu, 22 Sep 2016 02:35:19 +0200
On Tue, Sep 20, 2016 at 06:15:00AM +0000, gcw@primenet.com.au wrote:
> Running certbot (security/py-cerbot) crashes python unless
> PaX mprotect is disabled.
I'm strongly against this. Just because some modules are doing strange
things doesn't mean the main interpreter should get all the benefits
disabled.
Joerg
From: christos@zoulas.com (Christos Zoulas)
To: Joerg Sonnenberger <joerg@bec.de>, gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX MPROTECT is disabled
Date: Wed, 21 Sep 2016 23:00:30 -0400
On Sep 22, 2:35am, joerg@bec.de (Joerg Sonnenberger) wrote:
-- Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX MP
| On Tue, Sep 20, 2016 at 06:15:00AM +0000, gcw@primenet.com.au wrote:
| > Running certbot (security/py-cerbot) crashes python unless
| > PaX mprotect is disabled.
|
| I'm strongly against this. Just because some modules are doing strange
| things doesn't mean the main interpreter should get all the benefits
| disabled.
Yes, this is not acceptable. cvs update and re-install devel/py-cffi and
try it again.
christos
From: Geoff Wing <gcw@pobox.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/51490: python (2.7) crashes running certbot unless PaX
MPROTECT is disabled
Date: Sat, 24 Sep 2016 14:21:39 +1000
On Thursday 2016-09-22 03:05 +0000, Christos Zoulas output:
: Yes, this is not acceptable. cvs update and re-install devel/py-cffi and
: try it again.
py-certbot runs OK if there are no certs to renew. Haven't checked fully.
State-Changed-From-To: open->feedback
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 13 Jun 2017 15:54:02 +0000
State-Changed-Why:
Please retry with NetBSD > 7.99.73 and libffi-3.2.1nb3. I believe joerg has fixed this with the following commits:
http://mail-index.netbsd.org/source-changes/2017/05/06/msg084237.html
http://mail-index.netbsd.org/pkgsrc-changes/2017/05/26/msg157302.html
State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 13 Jun 2017 15:58:08 +0000
State-Changed-Why:
Didn't read the reply which said py-certbot already works. other programs using python were also suffering from it, and the commit fixes those, too. (I had issues with 'meld')
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.