Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-152096

catatonit-0.2.1-1.el10 built without PIE despite -fPIE in spec (missing -static-pie linker flag)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • rhel-10.3
    • CentOS Stream 10
    • catatonit
    • None
    • catatonit-0.2.1-2.el10
    • None
    • Critical
    • rhel-container-tools
    • None
    • None
    • None
    • x86_64
    • None

      catatonit is the default PID 1 init process for podman containers on RHEL 10. The binary is statically linked and compiled with -fPIE, but the linker is not passed -static-pie, resulting in a non-PIE EXEC binary with no ASLR.

      The spec file sets:
        CFLAGS="%{optflags} -fPIE -D_GNU_SOURCE ..."

      But -fPIE only generates position-independent code at compile time. Without -static-pie in LDFLAGS, the linker produces a fixed-address executable. The binary also lacks stack canary protection (__stack_chk_fail absent) despite %{optflags} including -fstack-protector-strong.

      Verification:
        $ readelf -h /usr/libexec/catatonit/catatonit | grep Type
        Type: EXEC (Executable file)   # Should be DYN for PIE

        $ readelf -s /usr/libexec/catatonit/catatonit | grep stack_chk
        (no output)                     # Should show __stack_chk_fail

      Package NVR: catatonit-0.2.1-1.el10.x86_64
      Spec: https://gitlab.com/redhat/centos-stream/rpms/catatonit/-/blob/c10s/catatonit.spec

      Fix: Add LDFLAGS="%{build_ldflags} -static-pie" to %build section.

       

      What were you trying to do that didn't work?

      Verify binary hardening of container infrastructure packages on CentOS Stream 10. catatonit is built with -fPIE in CFLAGS but the linker is not passed -static-pie, so the compile-time flag has no effect and the resulting binary is a fixed-address EXEC with no ASLR. Stack canary protection is also absent despite %{optflags} including -fstack-protector-strong.

      What is the impact of this issue to you?

      catatonit is the default PID 1 init process inside every podman container on RHEL 10. Without ASLR, an attacker exploiting a memory corruption vulnerability has a fixed address space to target, weakening container exploit mitigation. The missing stack canary further reduces the binary's resilience to buffer overflow attacks.

      Please provide the package NVR for which the bug is seen:

      catatonit-0.2.1-1.el10.x86_64

      How reproducible is this bug?:

      Always — the spec file produces an unhardened binary on every build.

      Steps to reproduce

      1. Install catatonit-0.2.1-1.el10.x86_64
      2. Run readelf -h /usr/libexec/catatonit/catatonit | grep Type
      3. Observe EXEC instead of DYN

      Expected results

      PIE-enabled binary (DYN (Shared object file)) with stack canary protection 

      Actual results

      Fixed-address EXEC binary, no stack canary, no ASLR

              rhn-support-jnovy Jindrich Novy
              rh-ee-clusk Christopher Lusk
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: