Public bug reported: This bug is against squid3 for now, but this may be a bug in the build hardening options.
3.1.19-1ubuntu3 reinstated compiler hardening options such that PIE and BIND_NOW are in effect. This can be seen with 'hardening-check': $ mkdir /tmp/squid3-old $ cd /tmp/squid3-old $ dpkg-deb -x /tmp/squid3_3.1.19-1ubuntu3_amd64.deb files $ hardening-check ./files/usr/sbin/squid3 ./files/usr/sbin/squid3: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes However, 3.1.19-1ubuntu3.12.04.1 lost PIE and BIND_NOW, even though the only change was to the upstart job (see attached debdiff): $ mkdir /tmp/squid3-new $ cd /tmp/squid3-new $ dpkg-deb -x /var/cache/apt/archives/squid3_3.1.19-1ubuntu2_amd64.deb files $ hardening-check ./files/usr/sbin/squid3./files/usr/sbin/squid3: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! Using readelf, we see that the ELF is not marked as DYN (dynamic): $ readelf -lW /tmp/squid3-new/files/usr/sbin/squid3 |grep 'Elf file type' Elf file type is EXEC (Executable file) But the old one is: $ readelf -lW /tmp/squid3-old/files/usr/sbin/squid3 |grep 'Elf file type' Elf file type is DYN (Shared object file) Comparing the build logs did not reveal anything significant that I could see. ** Affects: squid3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid3 in Ubuntu. https://bugs.launchpad.net/bugs/1039593 Title: squid3 lost compiler hardening options in last update, but shouldn't have To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1039593/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs