On Wed, Sep 16, 2015 at 07:24:02PM +0300, Alexander Todorov wrote:
Including fedora-devel on this topic.
На 12.09.2015 в 08:48, Dominik 'Rathann' Mierzejewski написа:
>>>
>>>Question is how to deal with these because they appear to be in the hundreds
?
>>
>>How many, exactly? We have around 20000 SRPMs in the distribution.
>
From today's Rawhide snapshot my script counted around 4500
offending packages. You can find links to the script and execution
log here:
http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/
The majority of the packages of mine on this list fall into
three groups:
- erlang packages
- mingw packages
- ocaml packages
I'm pretty sure mingw packages should all be excluded. Who knows what
Windows uses (and who cares).
Erlang code generation is an unknown quantity.
For OCaml, I think you should ignore anything under %{libdir}/ocaml/
since those are development files. (Their contents may eventually end
up in a binary, but we can worry about that when we see the binary).
That removes most of the failures.
For OCaml binaries, it seems as if most of them are like this:
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH
./usr/bin/ocamlc.opt
As far as I understand it, the only problems there are "Partial RELRO"
which should in an ideal world be "Full RELRO"; and "No PIE".
I guess we can fix the RELRO problem by linking with -z now. It may
require a compiler patch.
The OCaml compiler doesn't support PIE but it does support -fPIC. I'm
not clear if there would be some way to link the -fPIC objects into a
PIE executable?
In general OCaml is much more robust against these kinds of attacks,
since you have to deliberately let your pointers "go wild" by using
special "unsafe_*" functions, and that's an immediate red flag when
reviewing code.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html