1 |
Dear Gentoo developers, |
2 |
|
3 |
when Dr. Etoh has finished working on the new updated propolice patches, |
4 |
influenced by our extensive testing, which will then make it into the |
5 |
-r4 versions of current glibc and gcc, i would like the responsible |
6 |
rollout teams to create new livecd's and new stages 1-3 to get the final |
7 |
steps of the gcc/glibc propolice migration done in the first quarter of |
8 |
2004. |
9 |
|
10 |
This includes normal environments as well as the hardened livecd and/or |
11 |
stages for etdyn-ssp and selinux support. |
12 |
|
13 |
All supported hardware platforms, except hppa where propolice cannot be |
14 |
utilized due to an upgrowing stack, are affected by the last steps of |
15 |
the propolice migration on Gentoo Linux. |
16 |
|
17 |
At the moment, most if not all livecd and the stages found in the field |
18 |
and on the mirrors contain a glibc without the guard symbols and a gcc |
19 |
with the guard symbols in place. |
20 |
|
21 |
When a user installs a fresh system, she or he has to obey certain baby |
22 |
steps to create a working condition for using propolice either in |
23 |
make.conf:CFLAGS or with the available hardened-gcc packages. |
24 |
|
25 |
It is also important for ensuring gcc -static not failing with an error |
26 |
message describing multiple occurrences of symbols, this error message |
27 |
with running "gcc -static" may even happen without using the propolice |
28 |
-fstack-protector in CFLAGS or having hardened-gcc on a system, it is |
29 |
produced by the linker detecting multiple copies of the propolice object |
30 |
and functions in glibc and libgcc during the final -static linking run |
31 |
when the glibc has been compiled with the guard patch and the gcc in |
32 |
place has not yet been compiled with the move-propolice-to-glibc patch. |
33 |
|
34 |
recommended procedure for stage3: |
35 |
= emerge sync (get the current portage tree from the internet) |
36 |
- emerge glibc gcc (this will emerge glibc-2.3.2-r3 and gcc-3.2.3-r3) |
37 |
- emerge =uv system |
38 |
|
39 |
recommended procedure for stage2: |
40 |
= emerge sync (get the current portage tree from the internet) |
41 |
- emerge glibc gcc (this will emerge glibc-2.3.2-r3 and gcc-3.2.3-r3) |
42 |
- emerge system |
43 |
|
44 |
The updated glibc emerge will add the guard object and the necessary |
45 |
functions from propolice to the glibc and the following gcc emerge will |
46 |
remove the guard object and the corresponding functions. |
47 |
|
48 |
Also because of the migration, users of stage1 can experience |
49 |
bootstrap.sh problems due to the fact that the glibc may get emerged |
50 |
after the gcc which will then lead to the situation that gcc has not |
51 |
removed the propolice guard object and the setup functions due to a |
52 |
glibc not found on the system that has the guard object. |
53 |
|
54 |
When we can make sure that stage1 bootstrap.sh does the emerge of the |
55 |
glibc before gcc gets emerged during bootstrapping, we are safe. |
56 |
Otherwise subsequent emerges of ebuilds could fail with -static error |
57 |
messages or in the case of hardened with -fstack-protector failing on |
58 |
ebuilds. |
59 |
|
60 |
Thanks for your attention and patience with the hardened team. |
61 |
|
62 |
So far, the scanner script utilized in the gcc ebuild is generating only |
63 |
true positives and is urging users to reinstall the components depending |
64 |
on the __guard object in the libgcc before the gcc can be emerged. |
65 |
This will prevent systems from getting inconsistent due to binaries like |
66 |
python2.2 relying on the libgcc __guard object. |
67 |
Please do not remove or tamper with this safety belt in the ebuild. |
68 |
You can contact me and get information from the comments in the bug |
69 |
25299 about the procedures necessary for the migration. |
70 |
|
71 |
The author of PaX is preparing a propolice supported, text relocation |
72 |
free, etdyn-based XFree86 server with a dynamic library module loading |
73 |
mechanism instead of the old ELF-based method. |
74 |
|
75 |
Also, the emerging of openoffice with hardened-gcc -yet_exec using |
76 |
propolice is not yet failing here with gcc ICE after some hours |
77 |
compiling time, if this finally succeeds, gcc-3.3.2-r3 will be the first |
78 |
known good gcc to compile openoffice with the propolice stack-protector. |
79 |
|
80 |
I would like to give credit to the involved Gentoo developers and |
81 |
testers, the upstream and related security specialists in the vicinity |
82 |
of the Gentoo Hardened sub-projects for their ongoing commitment and |
83 |
leading solution support in the sector of host-based userland hardening |
84 |
- without the combined efforts and the widely available helping hands in |
85 |
the whole Gentoo developer community, these advancements would have |
86 |
never been possible. |
87 |
|
88 |
Alexander |
89 |
-- |
90 |
Alexander Gabert <pappy@g.o> |
91 |
http://www.gentoo.org/proj/en/hardened |
92 |
|
93 |
|
94 |
-- |
95 |
gentoo-dev@g.o mailing list |