Gentoo Archives: gentoo-hardened

From: Joshua Brindle <method@g.o>
To: "Boyd, Waters, " <bwaters+kde@××××××××××××.EDU>, gentoo-hardened@g.o, "Waters, Boyd" <bwaters+kde@××××××××.edu>
Subject: [gentoo-hardened] Re: Stack-Smashing GCC experiments (gcc-3.2.2-r3.ebuild)
Date: Fri, 11 Apr 2003 12:27:40
Message-Id: 20030411T072223Z_B95E00150000@gentoo.org
1 Ok, it looks like you probably merged 3.2.2-r3 before we added
2 propolice there, so you'll need to recompile that.
3
4 just rsync and try to emerge it, those digests are a bit flakey
5 but it eventually works (we are working on this)
6
7 also, the correct CFLAG to use is "-fstack-protector" nothing
8 else will work.
9
10 if you want a stack protected Xfree you *must* install xfree-4.3.0-r2
11 (it's masked for testing), it's the only one with the patches required
12 to work with propolice. If you find any other apps that break with
13 propolice please write us a bug and assign it to "hardened@g.o"
14
15 Thanks..
16
17
18 Joshua Brindle
19
20 >>> Boyd Waters <bwaters+kde@××××××××.edu> 04/10/03 09:43PM >>>
21 Joshua:
22
23 Thanks again for making this happen with GCC-3.2.2...
24
25 My previous post was unclear, so here's another try: although portage/ebuild
26 on my system thought that gcc-3.2.2-r3 was already merged, the gcc-3.2.2 that
27 I had did not have the patches applied.
28
29 I suspect that I injected -r3 to aviod a large ebuild in the middle of some
30 other world updates this past weekend... let me check... hmm, no, I installed
31 3.2.2-r3 on March 16th, in the course of an enormous world update (39
32 pacakges)... so I think that it was emerged normally... but I can't be
33 certain, and "inject" is the sort of thing that I would do!
34
35 So I thought that I had 3.2.2-r3 installed, so I tried to add -fstack-protect
36 to my CFLAGS. The first time I tried to build something after that, cc1 died
37 with an "unrecognized flag" error complaining about this... and a
38 gcc --version reported NO indication of propolice.
39
40 Hmmm... I performed "ebuild /usr/portage/sys-devel/gcc/gcc-3.2.2-r3.ebuild"
41 and that's when I started getting the complaints about missing patch distros.
42 But "emerge --fetchonly" or "ebuild ... fetch" would NOT retrieve the files.
43
44 I was able to emerge the -r3 package just fine after I pulled the two
45 offending patch tarballs manually: it built without a hitch, and I been
46 building kdebase-3.1.1a all evening with it, with -fstack-protect in the
47 CFLAGS.
48
49 I would rather not chase this one too much. I strongly suspect user error
50 (me) -- in that I might have injected the -r3, thinking that it was just a
51 "tip" build (no significant changes) -- and unmerging gcc to re-merge the
52 package "clean" is rather frought.
53
54 I have a VMWare image of a "clean", from-stage1-image that I'm tinkering
55 with, building up a clone of my everyday system from a bare system by
56 indentifying the packages that I use and only installing those. So maybe next
57 week I will take the time to install gcc-3.2.2-r3 on a "clean" system;
58 hopefully I will be able to report my results of building an entire system
59 with no-stack-smashing in about ten days!
60
61 -- boyd
62
63 On Thursday 10 April 2003 05:07 pm, Joshua Brindle wrote:
64
65 > first, "-fstack-protector" should work fine..
66 >
67 > second, just emerge rsync and try again with that ebuild..
68 >
69 > if you still have problems write a bug and assign it to me or frogger..
70 >
71 > we have several testers for propolice gcc already and am fixing
72 > ebuilds where -fstack-protector isn't appropriate, but we are not done
73 > if anyone wants to test this and tell us about ebuilds where it breaks
74 > that would be great.. thanks
75 >
76 > Joshua Brindle
77
78
79
80 --
81 gentoo-hardened@g.o mailing list