Michael Scherer ha scritto:
On Sunday 17 August 2003 17:47, Aleksander Adamowski wrote:
How about adding ProPolice stack protection to stock Mandrake GCC?
For discussion, see this Mandrake Wiki topic:
<http://qa.mandrakesoft.com/twiki/bin/view/Main/ProPolice>
OpenBSD already did that.
having the patch would be nice, but not applied as default.
An alternative would be to have a parallel protected build of all
the applications (e.g. with RPM named "mdks" instead of "mdk") and
let users (or installer) decide to which level install the protected
one (e.g. level5 install stack protected RPM version only for the running
daemons, level10 install the stack protected RPM version for everything).
we already have libsafe for a runtime protection, which is more flexible
than compile time protection.
The problem is that libsafe doesn't cover all the functions, but
just a subset of common one where buffer overrun could occur (and note
that %serverbuild macro in our RPM was introduced for libsafe). For instance
in the case of the zlib exploit, libsafe wouldn't have it catched,
while if it would have been compiled with -fstack-protector, the
exploit would have been blocked (and logged).
in fact with the patch, you only would need to rebuild and change the
.rpmmacro files of the user who is used to build.
Bye.
Giuseppe.
