Hi Petter, On Wed, 12 Aug 2020 11:53:50 +0200, Petter Reinholdtsen <p...@hungry.com> wrote: > According to > <URL: https://security-tracker.debian.org/tracker/CVE-2018-5392 >, the > issue is unsolved in Debian, thus I create this issue to track the > status. > > The problem at hand is that mingw-w64 fail to create binaries with a > working ASLR security feature, even when asked to do so. Packages that > might be affected are listed on > <URL: > https://lintian.debian.org/tags/portable-executable-missing-security-features.html > >.
Not quite; the problem at hand is that the mingw-w64 toolchain in Debian used to advertise that it created binaries supporting security features, when they didn’t really. Builds can supply the appropriate flags, but they need to do so consciously, it doesn’t make sense to enable them by default. > According to two upstream issues, > <URL: https://sourceware.org/bugzilla/show_bug.cgi?id=17321 > and > <URL: https://sourceware.org/bugzilla/show_bug.cgi?id=19011 >, > the problem was fixed in januar 2020. Is the issue also fixed in > Debian? > > I picked the version in stable as the starting point, but suspect the > problem also exist in earier versions. The settings are ultimately controlled by binutils-mingw-w64. The security flags were set by default starting with version 7 (so 2.28-5+7.4 in oldstable is the first affected version that’s currently available), and disabled again in version 8.8, and fixed up in 8.9 (so 2.34-5+8.9 in testing is the first fixed version that’s currently available). Regards, Stephen
pgpBIKZH8yKHj.pgp
Description: OpenPGP digital signature
