Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#1031743: python3.11-minimal: Python 3.11 should be compiled as a PIE, but it is not

74 views
Skip to first unread message

j.fikar

unread,
Feb 21, 2023, 2:40:04 PM2/21/23
to
Package: python3.11-minimal
Version: 3.11.1-2
Severity: normal
X-Debbugs-Cc: j.f...@gmail.com

Dear Maintainer,

if I understood it correctly, the Python 3.10 and later should be compiled as
PIE (position independent executable). That is why there are the new packages
python3-nopie, python3.10-nopie, and 3.11-nopie.

But 3.11 is not a PIE. I checked arm64, amd64, armhf, armel, and i386
architectures.

$ file /usr/bin/python3.11
/usr/bin/python3.11: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV),
dynamically linked, interpreter /lib/ld-linux-aarch64.so.1,
BuildID[sha1]=8dad83d75a00e6b5e26095c79dee978a8d57ef7d, for GNU/Linux 3.7.0,
stripped

The same is true for Sid version python3.11-minimal (3.11.2-4). The hardening-
check is reporting the same.

On the contrary, python3.10-minimal (3.10.9-1) is correctly a PIE

$ file /usr/bin/python3.10
/usr/bin/python3.10: ELF 64-bit LSB pie executable, ARM aarch64, version 1
(SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1,
BuildID[sha1]=7d2767e751dbd5c9287dbe5cd8de9022faa9d042, for GNU/Linux 3.7.0,
stripped


-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.19.0-28-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3.11-minimal depends on:
ii libc6 2.35-0ubuntu3.1
ii libexpat1 2.4.7-1ubuntu0.2
pn libpython3.11-minimal <none>
ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2

Versions of packages python3.11-minimal recommends:
pn python3.11 <none>

Versions of packages python3.11-minimal suggests:
ii binfmt-support 2.2.1-2

Philipp Hahn

unread,
Feb 15, 2024, 7:20:05 AM2/15/24
to
Package: python3.11
Version: 3.11.2-6
Followup-For: Bug #1031743

Dear Maintainer,

PIE was enebaled for Python 3.10 by [Bug
#919134](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134).

[b23d4ec0](https://salsa.debian.org/cpython-team/python3/-/commit/b23d4ec00357597127b8651a1f4f5e3eea388d72#8756c63497c8dc39f7773438edf53b220c773f67_84_83)
added it only for Ubuntu, so
[4faf96b5](https://salsa.debian.org/cpython-team/python3/-/commit/4faf96b52843e91c28c2e4cc2a5cbb8b88ff7ec3#8756c63497c8dc39f7773438edf53b220c773f67_88_83)
changed it to also support Debian and switched from

Then
[03a2c395](https://salsa.debian.org/cpython-team/python3/-/commit/03a2c395781b26ecb2c6ec09a54fa3569de8ac9c#8756c63497c8dc39f7773438edf53b220c773f67_86_85)
added a work-around for [pypa/pip#11183](https://github.com/pypa/pip/issues/11183) and disbaled PIE:

But `debian/rules` contains this:

> 81 dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS="hardening=-pie $(DPKG_OPTIMIZE)" dpkg-buildflags
> 82 dpkg_pieflags = DEB_BUILD_MAINT_OPTIONS="hardening=-pie $(DPKG_OPTIMIZE)"dpkg-buildflags
> 83 ifeq (,$(filter $(distrelease),stretch buster bullseye trusty xenial bionic focal impish))

No "bookworm" here, so `$(filter booworm,…)` is empty and the following
gets applied:

> 84 with_nopie := yes
> 85 dpkg_pieflags = DEB_BUILD_MAINT_OPTIONS="hardening=-pie $(DPKG_OPTIMIZE)" dpkg-buildflags
^
> 86 endif


Sadly the commit does not carry any extra information why PIE was
disabled, probably to make binary wheels compatible with Debian again?

Philipp
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US


Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

LSM: AppArmor: enabled

Versions of packages python3.11 depends on:
ii libpython3.11-stdlib 3.11.2-6
ii media-types 10.0.0
ii mime-support 3.66
ii python3.11-minimal 3.11.2-6

Versions of packages python3.11 recommends:
ii ca-certificates 20230311

Versions of packages python3.11 suggests:
ii binutils 2.40-2
ii python3.11-doc 3.11.2-6
ii python3.11-venv 3.11.2-6

-- no debconf information

0 new messages