-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all.
Since i started to rebuild my packages for hardened builds issue, I discovered (until now) a couple of libraries that result without "Canary protection" according to output of 'checksec' tool. Of course, I verified that all optimization flags used in Fedora by default were respected; as you know, we use '-fstack-protector-strong' flag to check for buffer overflows, but some libraries like libmozalloc.so in 'icecat' https://bugzilla.redhat.com/show_bug.cgi?id=1283307 or libmodplug/libtimidity in 'MOC' (RPM Fusion free) seem to need be compiled with '-fstack-protector-all' otherwise would result a "No Canary protection" warning from 'checksec' output. GCC-5.3 documentation says: - -fstack-protector Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. - -fstack-protector-all Like -fstack-protector except that all functions are protected. - -fstack-protector-strong Like -fstack-protector but includes additional functions to be protected — those that have local array definitions, or have references to local frame addresses. So, 1) From point of view of packaging, is it acceptable a forcing of - -fstack-protector-all? 2) Does -fstack-protector-all permit a real protection where - -fstack-protector-strong does not? - -- Antonio Trande mailto: sagitter 'at' fedoraproject 'dot' org http://fedoraos.wordpress.com/ https://fedoraproject.org/wiki/User:Sagitter GPG Key: 0x565E653C Check on https://keys.fedoraproject.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWb/cfAAoJEF5tK7VWXmU8T8QIAKgLd2AtUxi2t/cxWSgsIqBl EDw/gwv2C87cdJSes/k/e6hPfkdlGdI8bKWlj6ZHlq169cjj28f0mxyc8ZspHqZ6 MKs/MqMPRRBhI00nevZRY0DffaOQL0f6GKHRecQu2pkse7kig4E6JowmSuO0V5e2 soHJmG3Oyr4ugI3hzLCstl0k785Mfh0K1fRodpX/OEuVg/CQ+C5lB5tOD6JsBr0j OUoKxWL9LAQOw7J162nETMEJd6HsvkCwv1XTFFhh9EDyqFxJUvoBNjcoLBj9LRsb 3RPGWFiDbrFbC+G4OxQT/HI+fj+3sTEDtY7t8kAGn7Fo1UJfiKpbk+F8UO7BZug= =I0nT -----END PGP SIGNATURE----- -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
