retitle 613763 please enable PIE and Immediate binding
user hardening-disc...@lists.alioth.debian.org
usertags 613763 goal-hardening
thanks
Hi,
On Wed, 2011-02-16 at 17:15 -0800, Kees Cook wrote:
> Since totem deals with media files, it should be hardened against
> potential malicious attacks. This patch enables the hardening
> features in the toolchain.
Retitling because:
* totem uses cdbs, so it gets the default (shy) set of hardening
flags for free. (For this reason, I'll refrain myself from raising
the severity to important, as the release goal does not formally
require PIE and bindnow.)
* The up-to-date way of doing things would be to use dpkg-buildflags
options, rather than hardening-wrapper, to enable PIE and bindnow.
Kees Cook wrote (17 Feb 2011 19:17:43 GMT) :
> Right, so to avoid the totem binaries having their .text regions
> being usable as a ROP target, it's best to fully PIE the build so
> that every aspect of the binary has been ASLRed.
Sure.
Please apply the following patch to build totem with PIE and Immediate
binding (note that Ubuntu has been doing this since 11.04):
--- totem-3.0.1.orig/debian/rules 2011-12-14 19:14:04.000000000 +0100
+++ totem-3.0.1/debian/rules 2012-06-25 17:02:48.899825008 +0200
@@ -1,6 +1,9 @@
#!/usr/bin/make -f
#-*- makefile -*-
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+include /usr/share/dpkg/buildflags.mk
+
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/gnome.mk
include /usr/share/cdbs/1/rules/utils.mk
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
