[Bug 2007946] [NEW] python 3.11 is not PIE, but it should be

Jan Fikar 2007946 at bugs.launchpad.net
Tue Feb 21 10:04:06 UTC 2023 

Public bug reported:

Hello,

if I understood correctly, the Python from version 3.10 should be
compiled as a PIE (position independent executable). That is why there
are the new packages python3-nopie, python3.10-nopie and
python3.11-nopie.

But the Python 3.11 from package python3.11-minimal, version
3.11.0~rc1-1~22.04, arch arm64 is not a PIE.

$ file /usr/bin/python3.11-pie 
/usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped

the same using hardening-check:

$ hardening-check /usr/bin/python3.11-pie 
/usr/bin/python3.11-pie:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

While the python3.10-minimal is a PIE.

$ file /usr/bin/python3.10-pie 
/usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped

$ hardening-check /usr/bin/python3.10-pie 
/usr/bin/python3.10-pie:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!

I know the packages are probably from Debian Bookworm. I've checked
their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are
both not a PIE.

I should report this to Debian as well, but their reporting system is
very old-fashioned.

** Affects: python3.11 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: pie python

** Tags added: python

** Tags added: pie

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.11 in Ubuntu.
https://bugs.launchpad.net/bugs/2007946

Title:
  python 3.11 is not PIE, but it should be

Status in python3.11 package in Ubuntu:
  New

Bug description:
  Hello,

  if I understood correctly, the Python from version 3.10 should be
  compiled as a PIE (position independent executable). That is why there
  are the new packages python3-nopie, python3.10-nopie and
  python3.11-nopie.

  But the Python 3.11 from package python3.11-minimal, version
  3.11.0~rc1-1~22.04, arch arm64 is not a PIE.

  $ file /usr/bin/python3.11-pie 
  /usr/bin/python3.11-pie: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=65f319d75fa662120654ed39ed608b11774bec9b, for GNU/Linux 3.7.0, stripped

  the same using hardening-check:

  $ hardening-check /usr/bin/python3.11-pie 
  /usr/bin/python3.11-pie:
   Position Independent Executable: no, normal executable!
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: no, not found!
   Stack clash protection: unknown, no -fstack-clash-protection instructions found
   Control flow integrity: no, not found!

  While the python3.10-minimal is a PIE.

  $ file /usr/bin/python3.10-pie 
  /usr/bin/python3.10-pie: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=a1841de4f4ec9445a10bff638afa4c72deace9e0, for GNU/Linux 3.7.0, stripped

  $ hardening-check /usr/bin/python3.10-pie 
  /usr/bin/python3.10-pie:
   Position Independent Executable: yes
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: yes
   Stack clash protection: unknown, no -fstack-clash-protection instructions found
   Control flow integrity: no, not found!

  I know the packages are probably from Debian Bookworm. I've checked
  their amd64 and arm64 packages python3.11-minimal_3.11.1-2, they are
  both not a PIE.

  I should report this to Debian as well, but their reporting system is
  very old-fashioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.11/+bug/2007946/+subscriptions

More information about the foundations-bugs mailing list