Ubuntu
amavisd-milter package

amavisd-milter is no longer built w/PIE and BINDNOW hardening

Bug #768713 reported by Steve Beattie
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
amavisd-milter (Debian)
Fix Released
Unknown
amavisd-milter (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-11.04
Natty
Fix Released
Medium
Unassigned
Ubuntu ubuntu-11.04

Bug Description

Binary package hint: amavisd-milter

In maverick and and earlier, amavisd-new-milter was built with the PIE and BINDNOW hardening options (see https://wiki.ubuntu.com/Security/HardeningWrapper and http://wiki.debian.org/Hardening). With the replacement of amavisd-new-milter by amavisd-milter, this hardening protection is gone.

To reproduce:
1) grab the hardening_check script from http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/built-binaries/hardening-check
2) unpack via dpkg-deb -x or install amavsid-milter
3) run the hardening-check script on (EXTRACTEDPATH)/usr/sbin/amavisd-milter
4) output should look like:
  /usr/sbin/amavisd-milter:
  Position Independent Executable: yes
  Stack protected: yes
  Fortify Source functions: yes
  Read-only relocations: yes
  Immediate binding: yes
however, without hardening-wrapper applied, it looks like:
  /usr/sbin/amavisd-milter:
  Position Independent Executable: no, normal executable!
  Stack protected: yes
  Fortify Source functions: yes
  Read-only relocations: yes
  Immediate binding: no, not found!

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: amavisd-milter 1.5.0-2
ProcVersionSignature: Ubuntu 2.6.38-8.42-server 2.6.38.2
Uname: Linux 2.6.38-8-server x86_64
Architecture: amd64
Date: Thu Apr 21 17:48:50 2011
InstallationMedia: Ubuntu-Server 11.04 "Natty Narwhal" - Alpha amd64 (20110211)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: amavisd-milter
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Steve Beattie (sbeattie) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

Attached is a debdiff to fix it. Verified on amd64.

Micah Gersten (micahg)
Changed in amavisd-milter (Ubuntu Natty):
importance: Undecided → Medium
milestone: none → ubuntu-11.04
status: New → Confirmed
tags: added: regression-release
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Patch looks good. ACK. Uploading to natty.

Changed in amavisd-milter (Ubuntu Natty):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amavisd-milter - 1.5.0-2ubuntu1

---------------
amavisd-milter (1.5.0-2ubuntu1) natty; urgency=low

  * Re-enable hardened build for PIE (LP: #768713)
 -- Steve Beattie <email address hidden> Thu, 21 Apr 2011 17:22:53 -0700

Changed in amavisd-milter (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Patch forwarded to Debian.

Bug Watch Updater (bug-watch-updater)
Changed in amavisd-milter (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.