Nice - thanks @sdeziel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifications about this bug go to:
https://bugs.launc
@alexmurray, totally random observation that is not related to this bug
but might save you/others some times. The following 4 steps:
# use a LXD VM for testing
lxc launch --vm images:ubuntu/jammy sec-jammy-amd64
# stop the VM and disable UEFI secure boot
lxc stop sec-jammy-amd64
# ensure secureboo
This bug was fixed in the package python3.10 - 3.10.4-3
---
python3.10 (3.10.4-3) unstable; urgency=medium
* Build a python3.10-nopie package, diverting the python3.10
executable.
* Build the python3.10 interpreter with PIE enabled. Closes: ##919134.
LP: #1452115.
* Fix
Thanks @doko :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifications about this bug go to:
https://bugs.launchpad.ne
** Changed in: python3.10 (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifi
For posterity - this is how I did the analysis above:
# download the current python3.9 source package and rebuild it with PIE enabled
apt source python3.9
cd python3.9-3.9.10/
sed -i "/export DEB_BUILD_MAINT_OPTIONS=hardening=-pie/d" debian/rules
dch -i -D jammy "Enable PIE (LP: #1452115)"
update-
I am actively looking at this - FWIW the performance results with PIE
enabled look good - https://paste.ubuntu.com/p/PZjqMFSNSR/ - so I am
discussing internally whether this is something that can still land for
Ubuntu 22.04.
--
You received this bug notification because you are a member of Ubuntu
Thanks @Giovanni Pellerano for bumping this again. I can confirm that
this is an issue in python3.9 (3.9.7, "3.9.7-2build1") and python3.10
(3.10.0, "3.10.0-2") on 21.10 (amd64). I imagine if nothing is done, the
upcoming 22.04 LTS will have the issue in its default python(3), which I
imagine will
Hello!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifications about this bug go to:
https://bugs.launchpad.net/python/
** Changed in: python3.7 (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifications
@Giovanni Pellerano (evilaliv3): So while lack of any of these
(currently mainstream) hardening features is concerning with regards to
exploitation (especially the lack of ASLR in a generally non-highly
interactive exploitation context), my guess is that the upstream Python
build toolchain is just
Hello! Does anyone really care?
5 years passed since the original reporting of this issue and i'm
starting to seriously think that this intended to cover up some zer0
day!
Many were the justification to this related to performance but actually
with many tests this appeared to not be the case:
htt
** Also affects: python3.7 (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
** Changed in: python3.7 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notificatio
Relocation Read-Only(RELRO) also only partially implemented in python
3.6 compared to 2.7, as well as missing PIE on Bionic:
FILE: /usr/bin/python3.6
RELRO: Partial RELRO <<< ISSUE >>>
STACK CANARY: Canary found
NX: NX enabled
PIE:No PIE <<< ISSUE >>>
RPATH: No RPATH
RUNPATH:
3.7 is also affected in bionic:
$ hardening-check /usr/bin/python3.7
/usr/bin/python3.7:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
**
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: python3.6 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
** Also affects: python3.8 (Ubuntu)
Importance: Undecided
Status: New
** Also affects: python3.8 (Debian)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: python3.8 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
** Changed in: python
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To manage notifications about this
** Bug watch added: Debian Bug tracker #919134
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134
** Also affects: python via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a
** Changed in: python3.6 (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not
Actually I confirm this on current ubuntu bionic.
Would someone please reach the ubuntu security team and verify this is
an intended choice?
evilaliv3@evilaliv3:~$ hardening-check /usr/bin/python3
/usr/bin/python3:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fo
** Also affects: python3.6 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
To mana
I do believe pie is explicitly disabled when building Python 3.6. Using
hardening-check on Ubuntu Bionic (from the devscripts package):
$ hardening-check /usr/bin/python3
/usr/bin/python3:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes
this is done since 16.10. See the release notes
** Changed in: python2.7 (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: python3.4 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
It's been 2 years, can we turn on PIE for Python now?
Alpine and other distros do this by default.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not comp
We didn't enable PIE for the python interpreters for performance
reasons.
We're currently investigating turning PIE on by default for x86-64 and
other architectures that will likely handle it well. The performance
impact will be one of the deciding factors in determining if we enable
PIE for the p
** Changed in: python2.7 (Ubuntu)
Status: New => Won't Fix
** Changed in: python3.4 (Ubuntu)
Status: New => Confirmed
** Changed in: python2.7 (Ubuntu)
Status: Won't Fix => Confirmed
** Information type changed from Private Security to Public Security
--
You received this
29 matches
Mail list logo
