Ubuntu
postgresql-9.1 package

Please re-enable PIE and BIND_NOW

Bug #1039618 reported by Jamie Strandboge
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
postgresql-9.1 (Ubuntu)
Fix Released
High
Martin Pitt
Ubuntu ubuntu-12.10-beta-1
Precise
Won't Fix
Undecided
Unassigned
Quantal
Fix Released
High
Martin Pitt
Ubuntu ubuntu-12.10-beta-1

Bug Description

Older versions of postgresql were compiled with PIE and BIND_NOW. Unfortunately, these were lost in 12.04. Eg, output from hardening-check:
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_resetxlog:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_ctl:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_test_fsync:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_controldata:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/postgres:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/pg_upgrade:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/initdb:
 Position Independent Executable: no, normal executable!
/tmp/built-binaries-Kngdmo/postgresql-9.1/usr/lib/postgresql/9.1/bin/postmaster:
 Position Independent Executable: no, normal executable!

Related branches

lp:debian/postgresql-9.1
Jamie Strandboge (jdstrand)
tags: added: regression-release
Revision history for this message
Martin Pitt (pitti) wrote :

I checked the binaries in sid, and they are fine. The only difference in dpkg-buildflags between sid and quantal is that Ubuntu adds -Wl,-Bsymbolic-functions, but that seems unrelated.

So something else in our build chain must be different, I'll have a closer look.

Changed in postgresql-9.1 (Ubuntu Quantal):
importance: Undecided → High
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

I compared the gcc command lines for postgres.c between Debian's and Ubuntu's i386 builds. For the compilation stage (-c) there are no significant differences (just the path of the build directories, which appear in -I). For linking, the difference is that Ubuntu drops "-L/usr/lib" and "-lxslt -lxml2 -lpam -lssl -lcrypto -lkrb5 -lcom_err -lgssapi_krb5", which seems to come from Ubuntu doing the -Wl,--as-needed linking option by default, and Ubuntu adding "-Wl,-Bsymbolic-functions" which comes from our changed dpkg-buildflags as I pointed out in the previous comment.

Neither Ubuntu nor Debian use -pie, but they both use -fPIC during compiling and linking.

Revision history for this message
Martin Pitt (pitti) wrote :

Argh, I know why: In my sid chroot I have the hardening-wrapper package installed, which silently adds the -pie flag for us. Since we now build-depend on "dpkg-dev (>= 1.16.1~) | hardening-wrapper,", hardening-wrapper does not get installed any more for precise and quantal.

It seems I even attempted that in the past:

postgresql-9.1 (9.1.3-2) unstable; urgency=low

  * debian/control, debian/rules: Support and prefer dpkg-buildflags when
    building with dpkg-dev >= 1.16.1~. Fall back to hardening-wrapper
    otherwise, to keep supporting backports.
  * debian/rules: Build with "-z now" for some extra hardening. We can't use
    the full "hardening=+all", as PIE causes build failures.

I'll take another look at the build failures again.

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in bzr: http://anonscm.debian.org/loggerhead/pkg-postgresql/postgresql-9.1/trunk/revision/347

Changed in postgresql-9.1 (Ubuntu Quantal):
assignee: Martin Pitt (pitti) → nobody
status: In Progress → Fix Committed
assignee: nobody → Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Precise):
status: New → Triaged
Martin Pitt (pitti)
Changed in postgresql-9.1 (Ubuntu Quantal):
milestone: none → ubuntu-12.10-beta-1
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.1 - 9.1.5-2

---------------
postgresql-9.1 (9.1.5-2) unstable; urgency=low

  * debian/rules: Re-enable hardening functions (regression from 9.1.3-2 when
    hardening-wrapper is not installed). Use "hardening=all", but disable
    "pie" (as that's not compatible with -fPIC) and add -pie to CFLAGS
    explicitly. Also drop the explicit "-Wl,-z,now" linker option, as this is
    now implied with "all". (LP: #1039618)
  * Fix upgrades from older 9.1 releases in stable Ubuntu -updates/-security
    releasese. The strict "<< 9.1.4-2~" check for moving pg_basebackup.1.gz is
    not sufficient, as Ubuntu stables have newer upstream releases by now.
    - debian/control: Move Breaks/Replaces: from static version to
      ${binary:Version}.
    - debian/postgresql-9.1.preinst: Also fix the alternatives when upgrading
      from a -0something version.
    - (LP: #1043449)

 -- Martin Pitt <email address hidden> Fri, 31 Aug 2012 09:54:27 +0200

Changed in postgresql-9.1 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in postgresql-9.1 (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.