classification
Title: Python 3.6 compiler protections from Ubuntu distros
Type: security Stage: resolved
Components: Build Versions: Python 3.6
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, hpawdjit
Priority: normal Keywords:

Created on 2020-01-14 18:25 by hpawdjit, last changed 2020-01-14 18:29 by benjamin.peterson. This issue is now closed.

Messages (2)
msg359986 - (view) Author: Jason Culligan (hpawdjit) Date: 2020-01-14 18:25
The python3.6 binary supplied in Ubuntu distros is not compiled with Position Independent Code (PIE) protection enabled.  Python2 does.  Is this not seen as a problem?

Example 1:
(checksec)
============

FILE:	/usr/bin/python2
RELRO:	Full RELRO
STACK CANARY:	Canary found
NX:	NX enabled
PIE:	PIE enabled <<<
RPATH:	No RPATH
RUNPATH:	No RUNPATH
Symbols:	No Symbols
FORTIFY:	Yes
Fortified:	14
Fortifiable:	32


FILE:	/usr/bin/python3.6
RELRO:	Partial RELRO <<< ISSUE >>>
STACK CANARY:	Canary found
NX:	NX enabled
PIE:	No PIE <<< ISSUE >>>
RPATH:	No RPATH
RUNPATH:	No RUNPATH
Symbols:	No Symbols
FORTIFY:	Yes
Fortified:	18
Fortifiable:	42


Example 2:
============

$ hardening-check /usr/bin/python2
/usr/bin/python2:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

$ hardening-check /usr/bin/python3.6
/usr/bin/python3.6:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
msg359987 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2020-01-14 18:29
You should take it up on the Ubuntu issue tracker.
History
Date User Action Args
2020-01-14 18:29:23benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg359987

resolution: third party
stage: resolved
2020-01-14 18:25:50hpawdjitcreate