[New-bugs-announce] [issue39332] Python 3.6 compiler protections from Ubuntu distros
Jason Culligan
report at bugs.python.org
Tue Jan 14 13:25:50 EST 2020
New submission from Jason Culligan <jason.culligan at intel.com>:
The python3.6 binary supplied in Ubuntu distros is not compiled with Position Independent Code (PIE) protection enabled. Python2 does. Is this not seen as a problem?
Example 1:
(checksec)
============
FILE: /usr/bin/python2
RELRO: Full RELRO
STACK CANARY: Canary found
NX: NX enabled
PIE: PIE enabled <<<
RPATH: No RPATH
RUNPATH: No RUNPATH
Symbols: No Symbols
FORTIFY: Yes
Fortified: 14
Fortifiable: 32
FILE: /usr/bin/python3.6
RELRO: Partial RELRO <<< ISSUE >>>
STACK CANARY: Canary found
NX: NX enabled
PIE: No PIE <<< ISSUE >>>
RPATH: No RPATH
RUNPATH: No RUNPATH
Symbols: No Symbols
FORTIFY: Yes
Fortified: 18
Fortifiable: 42
Example 2:
============
$ hardening-check /usr/bin/python2
/usr/bin/python2:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
$ hardening-check /usr/bin/python3.6
/usr/bin/python3.6:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
----------
components: Build
messages: 359986
nosy: hpawdjit
priority: normal
severity: normal
status: open
title: Python 3.6 compiler protections from Ubuntu distros
type: security
versions: Python 3.6
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39332>
_______________________________________
More information about the New-bugs-announce
mailing list