[Pkg-shadow-devel] Bug#657010: Bug#657010: [login] 'su' should be PIE
Alexander Gattin
xrgtn at yandex.ru
Tue Jan 24 12:28:48 UTC 2012
Hello,
On Mon, Jan 23, 2012 at 09:06:38PM +0200, Török
Edwin wrote:
> PIE refers to -fPIE from GCC of course.
> Using that flag doesn't completely prevent the exploit though.
...
> Apparently packages should adopt hardening flags for wheezy:
> http://wiki.debian.org/Hardening#State_of_implementation:
> > After their meeting on the 14-16 January 2011, the
> > debian security team announced in an email they
> > intend to push the inclusion of hardening features
> > for the wheezy release.
By the way, all packages that contain suid
binaries (and/or libraries these binaries depend
on) should be hardened as much as possible anyway,
and this doesn't end with -fPIE. And IMO this
shouldn't be intended to work around the
CVE-2012-0056 (because ASLR/PIE doesn't prevent
the kernel bug to be exploited, according to PaX
team).
But I'm fine with using CVE-2012-0056 as a trigger
to incorporate some Hardening into shadow.
xrgtn at ux380n:~$ hardening-check /usr/sbin/sshd
/usr/sbin/sshd:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
xrgtn at ux380n:~$ hardening-check /bin/su
/bin/su:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
xrgtn at ux380n:~$
Nicolas, please consider what can be done to fix
that (or at least some of the above).
Currently I'm reading the
http://wiki.debian.org/Hardening#Using_Hardening_Options
part, but it's still unclear for me how to apply
this stuff to shadow builds (assuming that the
last time I built shadow was more than 4 years ago
IIRC).
--
With best regards,
xrgtn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20120124/cf093d2b/attachment-0001.pgp>
More information about the Pkg-shadow-devel
mailing list