Hi. Owl/Openwall have a large assortment of security related patches for just about every package.
For starters Owl has a patch for Gzip which cleans up the gzexe.in and zdiff.in shell scripts. For example, the vanilla Gzip does not remove tempfiles it created if gzip fails to decompress a file, the Owl patch removes the temp file before exiting the script if gzip fails. /bin/mktemp is added to the gzip scripts by the patch too, rather than using non-random temp files. Our mktemp is installed to /usr/bin, so either move mktemp to /bin or adjust the patch. There are a couple other modifications too. The name of the patch is "gzip-1.3.5-openbsd-owl-tmp.patch" if any of you want to take a look at it. It's not a critical patch, but I think it would be a good idea to add it to the book. There's patch for Glibc named "glibc-2.3.5-owl-alt-sanitize-env.diff". This patch does aggressive sterilization of the environment while running programs linked to libc. This patch is half-critical. This patch helps prevent environment based exploits. Ncurses has a patch to use the new functions added by the sanitize-env patch. Another Glibc patch, "glibc-2.3.5-openbsd-strlcpy-strlcat.diff", adds safer replacements to strncpy and strncat. Drepper and Linus have both commented on the strlcpy and strlcat functions. Drepper does not think they're suitable for Glibc because programmers should use strncpy and strncat properly. Linus has added strlcpy and strlcat functions to the kernel libraries. Having the attitude of 'it's better to be safe than sorry', it would be good to use these functions. These functions help prevent buffer overflows. Many packages check for strncpy and strncat during configure to see if they can be used. There are also several other Glibc patches that are worth adding to HLFS, not to mention the blowfish crypt functions. And several patches to correct GCC warnings in some packages. Off topic: From what I gather mktemp is used in Binutils because its portable... every system has mktemp. There are a couple patches on google which add mkdtemp/mkstemp to Binutils to not only remove the compiler warnings, but also use better temp filenames. robert
pgpyonHB3wxnN.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
