Bug#656656: Please enabled hardened build flags
Russ Allbery
rra at debian.org
Fri Jan 27 20:31:26 UTC 2012
Kees Cook <kees at debian.org> writes:
> First of all, in debian/rules:
> # Enable compiler hardening flags.
> export DEB_BUILD_MAINT_OPTIONS = all
> Was this intended to be:
> export DEB_BUILD_MAINT_OPTIONS = hardening=all
> This may cause trouble with the .so's -fPIC bits, so you can probably
> leave the entire line off, unless you want to enable bindnow:
> export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
Ack, yes, I did that completely incorrectly. Thank you. I'm fixing that
now. hardening=+bindnow is indeed what I'm going to use, and I was just
completely confused before.
> However, as pointed out earlier in the bug, raw "memcpy()" is still
> visible. This is, ultimately, because the code is performing a check
> that neither the compile-time nor run-time code knows how to deal with
> (i.e. a dynamically sized destination). In this case (and in the case of
> being always safe at compile-time), the macros end up just using
> memcpy() directly:
Aha, okay. Thank you for the clarification!
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list