| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
JHolder wrote: |
| 7 |
| John Richard Moser said: |
| 8 |
| [snip] |
| 9 |
| |
| 10 |
|>It's no secret that -fstack-protector-all breaks some programs that |
| 11 |
|>- -fstack-protector doesn't (i.e. Firefox, Thunderbird, Mozilla). In case |
| 12 |
|>of an 'autosspall' FEATURES flag and broken daemons, the 'apply-autossp |
| 13 |
|>no-all' command could tell apply-autossp to use -fstack-protector and |
| 14 |
|>NOT -fstack-protector-all. |
| 15 |
|> |
| 16 |
| |
| 17 |
| |
| 18 |
| Just out of curiousity, does anyone know if using libsafe |
| 19 |
| (http://www.research.avayalabs.com/project/libsafe/) would tend to break |
| 20 |
| programs? |
| 21 |
|
| 22 |
According to http://www.trl.ibm.com/projects/security/ssp/node5.html , |
| 23 |
libsafe has greater overhead. |
| 24 |
|
| 25 |
According to http://www.trl.ibm.com/projects/security/ssp/node4.html , |
| 26 |
libsafe does not protect local variable attacks (i.e. overflows that |
| 27 |
succeed and damage local variables between the buffer and everything |
| 28 |
else) and can't cover all string operations. Effectively, not as secure. |
| 29 |
|
| 30 |
libsafe may be a nice fallback if you have programs that break with ssp; |
| 31 |
although, in those cases, ssp normally tells you where they break, and |
| 32 |
you go fix them. |
| 33 |
|
| 34 |
| -- |
| 35 |
| gentoo-security@g.o mailing list |
| 36 |
| |
| 37 |
| |
| 38 |
|
| 39 |
- -- |
| 40 |
All content of all messages exchanged herein are left in the |
| 41 |
Public Domain, unless otherwise explicitly stated. |
| 42 |
|
| 43 |
-----BEGIN PGP SIGNATURE----- |
| 44 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 45 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 46 |
|
| 47 |
iD8DBQFBUk95hDd4aOud5P8RAi9TAJ0QKwGE/03ovECAKW/XXglbPCTGgACfTO+/ |
| 48 |
OpiF9z0Ew+Envov7+sOY+Hk= |
| 49 |
=qBXI |
| 50 |
-----END PGP SIGNATURE----- |
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-security@g.o mailing list |
Archives