Hi Sebastian, On Thu, Feb 17, 2011 at 09:09:21AM +0100, Sebastian Dröge wrote: > On Wed, 2011-02-16 at 17:15 -0800, Kees Cook wrote: > > Since totem deals with media files, it should be hardened against potential > > malicious attacks. This patch enables the hardening features in the > > toolchain. > > Not sure how useful this is when applied to totem only. Totem uses other > libraries to handle with media files and playlists.
Right, so to avoid the totem binaries having their .text regions being usable as a ROP target, it's best to fully PIE the build so that every aspect of the binary has been ASLRed. (Talk about acronym soup, sorry about that; links below if anyone needs pointers.) Each library can certainly gain hardening options as well. This bug is specifically about totem binaries themselves. -Kees http://en.wikipedia.org/wiki/Return-oriented_programming http://en.wikipedia.org/wiki/Position-independent_code#Position-independent_executables http://en.wikipedia.org/wiki/ASLR -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
