Ubuntu
totem package

Please re-enable PIE and BIND_NOW

Bug #1039604 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
totem (Ubuntu)
Fix Released
Medium
Mathieu Trudel-Lapierre
Precise
Won't Fix
Medium
Unassigned
Quantal
Fix Released
Medium
Mathieu Trudel-Lapierre

Bug Description

Ubuntu 11.10 added hardening options to totem, bug Ubuntu 12.04 and 12.10 lost PIE and BIND_NOW. These are important compiler hardening features that help protect users from malicious content.

This can be seen with the hardening check command:
/tmp/built-binaries-74x5kX/totem/usr/bin/totem-video-thumbnailer:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found! (ignored)
 Immediate binding: no, not found!
/tmp/built-binaries-74x5kX/totem/usr/bin/totem-audio-preview:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found! (ignored)
 Immediate binding: no, not found!
/tmp/built-binaries-74x5kX/totem/usr/bin/totem:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found! (ignored)
 Immediate binding: no, not found!
/tmp/built-binaries-74x5kX/totem/usr/lib/totem/totem-plugin-viewer:
 Position Independent Executable: no, normal executable!
 Immediate binding: no, not found!

(the stack-protector check can be ignored since it depends on the code having certain characteristics).

Jamie Strandboge (jdstrand)
tags: added: regression-release
Mathieu Trudel-Lapierre (cyphermox)
Changed in totem (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in totem (Ubuntu Precise):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package totem - 3.4.3-0ubuntu4

---------------
totem (3.4.3-0ubuntu4) quantal; urgency=low

  * debian/rules: re-enable hardening, make sure both PIE and BINDNOW are used
    by setting hardening=+all. (LP: #1039604)
  * debian/control.in: add dpkg-dev (>= 1.16.1.1) to Build-Depends.
 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 18 Sep 2012 12:22:15 -0400

Changed in totem (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in totem (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.