Seems whoever is behind the fedora kernel sets, have missed a patch along the way. It would appear as if the Position Independent Executable (PIE) base randomisation patch is missing.
Under Fedora, usually critical binaries are compiled to be position independent. This allows the kernel to completely randomise the address space of the process if it so chooses. Some packages which are/should be PIE are OpenSSH, Apache, small things like that ;) Standard return to .text techniques can be used to exploit the binaries (until the randomisation patch is re-applied).
For example:
# cat /proc/`pidof sshd`/maps | grep sshd 80000000-8005f000 r-xp 00000000 fd:00 13937373 /usr/sbin/sshd 8005f000-80061000 rw-p 0005e000 fd:00 13937373 /usr/sbin/sshd # /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] # cat /proc/`pidof sshd`/maps | grep sshd 80000000-8005f000 r-xp 00000000 fd:00 13937373 /usr/sbin/sshd 8005f000-80061000 rw-p 0005e000 fd:00 13937373 /usr/sbin/sshd # uname -a Linux 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 i386 GNU/Linux
Whoops! Seems like it's been that way for a while, and probably will be for a while… Ash informs me that PPC FC7 behaves in the same way.