On 13/03/2019 03:27, Huzaifa Sidhpurwala wrote:
On 3/12/19 5:40 PM, Vít Ondruch wrote:
Will it help to mitigate issues such as:
https://bugzilla.redhat.com/show_bug.cgi?id=1284684
This is related to the following change which was made in Fedora 23:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
My proposal does not touch PIE or RELRO at all, but is related to
compiling code with protections which mitigate, format string attacks
and stack-based buffer overflows. It is pretty common to enable these
flags while compiling, its just strange that we dont enable these by
default.
We do, just not by changing the compiler defaults.
Instead they are in %{optflags} which all packages are expected
to use for their compiler flags:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_compiler_flags
Here's what %optflags looks like for F29:
-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
Tom
--
Tom Hughes ([email protected])
http://compton.nu/
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
