Discussion:
Bug#919134: python3 missing -fPIE flag
Add Reply
johnsen32
2019-01-13 00:30:01 UTC
Reply
Permalink
Package: python3
Version: 3.7.1-3
Severity: important

Dear Maintainer,

python3 is not compiled as a position independent executeable.

Please use -fPIE when compiling python3 as other distros also do.


-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3 depends on:
ii libpython3-stdlib 3.7.1-3
ii python3-minimal 3.7.1-3
ii python3.7 3.7.2-1

python3 recommends no packages.

Versions of packages python3 suggests:
pn python3-doc <none>
pn python3-tk <none>
pn python3-venv <none>

-- no debconf information
Michele Orrù
2019-09-30 14:30:01 UTC
Reply
Permalink
Hi,

in the hope of helping out, I fixed this issue in:
https://salsa.debian.org/maker-guest/python3
and tested it on my system and a fresh debian install. Please feel free to
edit it! Its a really small edit.
An already packaged version can be found on salsa.

This (hardening) issue is important! Lots of software libraries (including
ones that could endanger people's lives, like Globaleaks or Securedrop) use
python and could benefit from this.
There's a similar issue on Launchpad for ubuntu:
https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1452115

Doko: what do you think?
Michele Orrù
2019-10-03 14:40:01 UTC
Reply
Permalink
Post by Michele Orrù
An already packaged version can be found on salsa.
whoops, sorry, I meant on mentors:
https://mentors.debian.net/package/python3.8

--
Michele
Michele Orrù
2019-10-24 20:10:01 UTC
Reply
Permalink
Hi doko,

is there any chance you could review my patch? It's really just this commit
that is relevant:
https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c

and package compilation seems to go through smoothly!
PS. I think the gitignore is messing up with some patch files.
Michele Orrù
2019-11-08 19:10:01 UTC
Reply
Permalink
Arch linux seems to have PIE too:

$ file /usr/bin/python3.7
/usr/bin/python3.7: ELF 64-bit LSB pie executable, x86-64, version 1
(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=edce9cb329b348463d5c868aa48bac4e146ce0e7, for GNU/Linux
3.2.0, stripped

Hope this clarifies a bit more what «other distros also do» meant in the
top message.
Ciao,
Hello again Doko,
I'm reaching out once again (and updating the bug) to ask if perhaps you
could take a look at my patch. I really just want to remove 4 lines of
code!
https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c
I tested the compiled packaged (once again, on your updated revision) and
everything seemed okay on my machine.
I tried to reach out to you via Holger, who said I should double-check for
potential performance issues and whether other distributions use it.
On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm
$ hardening-check python3
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
Attached, you will find the result of pyperformance compare between
python3.8 compiled with -fPIE and without. I don't really buy the argument
of performance loss in a language like python, especially given the big
attack surface we are offering right now; anyways, just for the record,
it's between 2-5x slower, which doesn't seem so dramatic to me.
I also find it very suspicious that in the git log (of python 3 and python
2) there is no justification for disabling PIE explicitly: why this code
was there in the first place?
I'm going to try escalating this issue to other people in debian security
if I don't get a reply within a week!
Cheers,
Matthias Klose
2019-11-09 16:30:01 UTC
Reply
Permalink
Hello again Doko,
I'm reaching out once again (and updating the bug) to ask if perhaps you
could take a look at my patch. I really just want to remove 4 lines of
code!
https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c
I tested the compiled packaged (once again, on your updated revision) and
everything seemed okay on my machine.
I tried to reach out to you via Holger, who said I should double-check for
potential performance issues and whether other distributions use it.
On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm
$ hardening-check python3
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
Attached, you will find the result of pyperformance compare between
python3.8 compiled with -fPIE and without. I don't really buy the argument
of performance loss in a language like python, especially given the big
attack surface we are offering right now; anyways, just for the record,
it's between 2-5x slower, which doesn't seem so dramatic to me.
I also find it very suspicious that in the git log (of python 3 and python
2) there is no justification for disabling PIE explicitly: why this code
was there in the first place?
I'm going to try escalating this issue to other people in debian security
if I don't get a reply within a week!
seriously? For a few months you are writing emails without subject landing in
my spam folder, and then you are starting threats?
other people in debian security
can't find you in
https://www.debian.org/intro/organization#security

I also doubt very much your numbers, 2.5 - 5 times slower is not expected. PIE
has some impact, but not that bad.

Matthias
Michele Orrù
2019-11-09 17:30:01 UTC
Reply
Permalink
Post by Matthias Klose
seriously? For a few months you are writing emails without subject landing in
my spam folder, and then you are starting threats?
Hi Doko,

as I wrote privately immediately after:

reading back my email it sounds a lot like a threat.
Post by Matthias Klose
When I wrote the email I was just thinking that I should give a heads up
because it's been now more than one month and I don't know what else to do
besides asking other dd.
So, please forgive the tone in my previous email Matthias.


I'm not trying to threaten you, I just want to help you out improve debian,
and from my (naïve) perspective reaching out to other DD was the logical
solution for no answer.

That said, I'm sorry for the subject line. I'm relatively new here: I
didn't know if my b.d.o email will be processed adding the issue number in
the subject, and I didn't know if the subject will be embedded in the
message and cause confusion. Besides email to b.d.o:
- I tried to reach out to you on irc, over public channels and in private;
- people tried to reach out to you via ubuntu bug tracker:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1452115.
Perhaps you can give me some slack, and we can all move on? Holger already
told me that was stupid.

Now that this bug has come to your attention again:

I also doubt very much your numbers, 2.5 - 5 times slower is not expected.
Post by Matthias Klose
PIE
has some impact, but not that bad.
Even before measuring performance loss (which could be due to intel turbo
being active on my machine for a start, and I'm happy to test again so that
you can double-check my steps), do you think performances are crucial for
enabling PIE on /usr/bin/python3?

If not, would you mind if I try to help out updating the package? It's a
relatively easy issue and I could learn something about packaging in the
process.
If yes, could you please explain to me how this is different from python2?

Apologising again,
--
Ό.
Giovanni Pellerano
2019-11-20 17:50:01 UTC
Reply
Permalink
Hello all,

I've performed some benchmarks following the instructions provided by
Michele (https://github.com/freedomofpress/securedrop/issues/1861#issuecomment-554035468).

Please find attached the results.

From my tests its seems to not exist any particular performance loss;
actually some tests results in a gain.

please let me know if there is something else I could support
retesting to possibly speed up the progress on the integration of the
proposed patch.

Best,

Giovanni

Il giorno sab 9 nov 2019 alle ore 18:19 Michele Orrù
Post by Michele Orrù
Post by Matthias Klose
seriously? For a few months you are writing emails without subject landing in
my spam folder, and then you are starting threats?
Hi Doko,
Post by Matthias Klose
reading back my email it sounds a lot like a threat.
When I wrote the email I was just thinking that I should give a heads up because it's been now more than one month and I don't know what else to do besides asking other dd.
So, please forgive the tone in my previous email Matthias.
I'm not trying to threaten you, I just want to help you out improve debian, and from my (naïve) perspective reaching out to other DD was the logical solution for no answer.
- I tried to reach out to you on irc, over public channels and in private;
- people tried to reach out to you via ubuntu bug tracker: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1452115.
Perhaps you can give me some slack, and we can all move on? Holger already told me that was stupid.
Post by Matthias Klose
I also doubt very much your numbers, 2.5 - 5 times slower is not expected. PIE
has some impact, but not that bad.
Even before measuring performance loss (which could be due to intel turbo being active on my machine for a start, and I'm happy to test again so that you can double-check my steps), do you think performances are crucial for enabling PIE on /usr/bin/python3?
If not, would you mind if I try to help out updating the package? It's a relatively easy issue and I could learn something about packaging in the process.
If yes, could you please explain to me how this is different from python2?
Apologising again,
--
Ό.
--
Ing. Giovanni Pellerano - Founding Member and CTO
***@hermescenter.org | +39.328.9590046

HERMES - Center for Transparency and Digital Human Rights
Associazione No Profit | Via Aretusa 34, IT-20129 Milan, Italy
t. +39-02-87186005 (voicemail) | f. +39-02-87162573
TaxCode: IT-97621810155 | EuropeAid: IT-2012-AOD-0806909254
w. https://www.hermescenter.org | m. ***@hermescenter.org
Loading...