[ubuntu-hardened] Build of flashplugin-nonfree in Ubuntu 12.04 LTS Release.

Kees Cook kees at ubuntu.com
Thu Dec 31 18:37:08 UTC 2015 

It appears to be built using Red Hat's gcc:

$ strings -a /usr/lib/flashplugin-installer/libflashplayer.so | grep -i gcc
| sort | uniq -c
      1 .gcc_except_table
   1241 GCC: (GNU) 4.3.2
     54 GCC: (GNU) 4.3.2 20081105 (Red Hat 4.3.2-7)
      1 GCC: (Ubuntu 4.4.3-4ubuntu5) 4.4.3

So it does not benefit from Ubuntu's default compiler flags. It does appear
to be built with at least -fstack-protector, though:

$ objdump -d /usr/lib/flashplugin-installer/libflashplayer.so  | grep
stack_chk | wc -l
17

But why do this the hard way, let's ask "hardening-check" instead:

$ hardening-check /usr/lib/flashplugin-installer/libflashplayer.so
/usr/lib/flashplugin-installer/libflashplayer.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

It's not built with -D_FORTIFY_SOURCE=2, nor RELRO, nor BIND_NOW.

Thought it's at least correctly build with the GNU_STACK non-executable
header:

$ readelf -lW /usr/lib/flashplugin-installer/libflashplayer.so | grep GNU_STACK
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x8

"RW" not "RWE".

-Kees

On Thu, Dec 31, 2015 at 02:29:18PM +0100, daniel curtis wrote:
> Hi.
> 
> I have only one question regarding to the flashplugin-nonfree package.
> According to a build log[1], there is not any CFLAGS,
> CPPFLAGS, CXXFLAGS etc., exported from a dpkg-buildflags,
> right? I mean, for example, `-fstack-protector`, `-Wl,z,relro`
> or `-D_FORTIFY_SOURCE, to name a few.
> 
> I'm asking, because mentioned dpkg-buildflag exports, could
> reduce the possible areas that can be used by an attacker, to
> perform a successful attack etc. Is the flashplugin-nonfree
> package built with a hardened flags? What a naive question...
> 
> Maybe I'm wrong and the flashplugin-nonfree package is already
> protected with at least one of the mentioned method. So, what is
> an answer? Or maybe I misunderstood something? (e.g. build
> process etc.)
> 
> Best regards.
> _____________
> [1]
> https://launchpadlibrarian.net/232146187/buildlog_ubuntu-precise-i386.flashplugin-nonfree_11.2.202.559ubuntu0.12.04.1_BUILDING.txt.gz

> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

-- 
Kees Cook

More information about the ubuntu-hardened mailing list