Source: pcre2 Version: 10.36-2 Severity: important X-Debbugs-Cc: a...@kernel.org
Dear Maintainer, Currently, pcre2 is built in a mode where its JIT uses memory mappings that are writable and executable at the same time, which is unsafe and unnecessary. Instead, it is possible to enable a different allocator that uses separate mappings for the same allocation, one with read/write and one with read/executable mappings, the placement of which is randomized in the process's virtual address space, making abuse much harder. Please consider applying the change below to switch all 64-bit architectures to the alternative allocator. 32-bit architectures are far more likely to run out of virtual address space, so there, we should probably stick with the original allocator. --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,10 @@ deb_maint_conf_args = --enable-pcre2-16 --enable-pcre2-32 --disable-pcre2grep-ca #enable JIT only on architectures that support it (see pcre2jit.3) ifneq ($(filter i386 amd64 armel armhf mips mipsel mips64el powerpc sparc arm64 ppc64 ppc64el s390x, $(DEB_HOST_ARCH)),) deb_maint_conf_args +=--enable-jit +ifneq ($(DEB_HOST_ARCH_BITS),32) +#the W^X allocator is safer but uses more virtual address space, so enable it on 64-bit arches only +deb_maint_conf_args +=--enable-jit-sealloc +endif -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing') Architecture: arm64 (aarch64) Kernel: Linux 5.18.4+ (SMP w/128 CPU threads; PREEMPT) Kernel taint flags: TAINT_DIE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
