On Mon, Nov 13, 2023 at 11:07:19AM +0000, Aoife Moloney wrote: > == Scope == > * Proposal owners: > Enable the 'error_for_executable_stacks' and 'error_for_rwx_segments' > optional features in the binutils.spec file and then rebuild the > binutils. > > Following that a system wide rebuild will be needed in order for the > change to have a chance to take affect and cause vulnerable packages > to fail to build. Any packages that fail to build because of the > change will need to be updated to either remove the cause of the > problem or else add an extra command line option to be passed to the > linker to disable the new feature. > > * Other developers: > Other developers will only be affected if their package(s) fail to > build with the new linker. In this case the developer will need to > decide if the security vulnerability is actually needed by their > package, and if so add a linker command line option to turn off the > error, or if the vulnerability is not needed then fix their code so > that the problem is removed. > > It is known that this change will affect the edk2, glibc and grub2 > packages. Their owners will be contacted to assist them in deciding > how they wish to resolve the problems specific to their packages.
Looking at selinux policy, there are a fair few other things that have 'execstack' permission allowed in their policy, which presumably implies they'll be impacted by the linkage change (either directly or via some library they utilize). With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
