1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
JHolder wrote: |
7 |
| John Richard Moser said: |
8 |
| [snip] |
9 |
| |
10 |
|>It's no secret that -fstack-protector-all breaks some programs that |
11 |
|>- -fstack-protector doesn't (i.e. Firefox, Thunderbird, Mozilla). In case |
12 |
|>of an 'autosspall' FEATURES flag and broken daemons, the 'apply-autossp |
13 |
|>no-all' command could tell apply-autossp to use -fstack-protector and |
14 |
|>NOT -fstack-protector-all. |
15 |
|> |
16 |
| |
17 |
| |
18 |
| Just out of curiousity, does anyone know if using libsafe |
19 |
| (http://www.research.avayalabs.com/project/libsafe/) would tend to break |
20 |
| programs? |
21 |
|
22 |
According to http://www.trl.ibm.com/projects/security/ssp/node5.html , |
23 |
libsafe has greater overhead. |
24 |
|
25 |
According to http://www.trl.ibm.com/projects/security/ssp/node4.html , |
26 |
libsafe does not protect local variable attacks (i.e. overflows that |
27 |
succeed and damage local variables between the buffer and everything |
28 |
else) and can't cover all string operations. Effectively, not as secure. |
29 |
|
30 |
libsafe may be a nice fallback if you have programs that break with ssp; |
31 |
although, in those cases, ssp normally tells you where they break, and |
32 |
you go fix them. |
33 |
|
34 |
| -- |
35 |
| gentoo-security@g.o mailing list |
36 |
| |
37 |
| |
38 |
|
39 |
- -- |
40 |
All content of all messages exchanged herein are left in the |
41 |
Public Domain, unless otherwise explicitly stated. |
42 |
|
43 |
-----BEGIN PGP SIGNATURE----- |
44 |
Version: GnuPG v1.2.6 (GNU/Linux) |
45 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
46 |
|
47 |
iD8DBQFBUk95hDd4aOud5P8RAi9TAJ0QKwGE/03ovECAKW/XXglbPCTGgACfTO+/ |
48 |
OpiF9z0Ew+Envov7+sOY+Hk= |
49 |
=qBXI |
50 |
-----END PGP SIGNATURE----- |
51 |
|
52 |
-- |
53 |
gentoo-security@g.o mailing list |