LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 01-25-2006, 11:18 AM   #1
gian2oo1
Member
 
Registered: Oct 2004
Location: Rhode Island, USA
Distribution: Slackware... Simplicity is bliss.
Posts: 62

Rep: Reputation: 15
PROPOSAL: glibc with --noexec (new binary breaks PaX)


Hello,

I'd suggest to rebuild all required packages (libraries) with
CFLAGS -Wa,--noexecstack so that assembled modules get tagged
as not needing executable stacks.1

The new binaries break PaX2 and thus weaken kernel security if one is using PaX to protect from overflows.

Patched binaries for 10.1 have been released at:

http://www.cerebrallab.com/files.php...ectfolder&id=3

But binaries for newer slackware versions are not available.

I would like to send a formal request to Patrick to compile all future binaries with --noexecstack, but I felt it would be better to recieve input from the slackware community before doing such.

The problem seems to first arise from Debian and has already been fixed in their CVS.

I know it's a bother to recompile it, but it will, IMHO, improve security.

References:
1 http://forums.grsecurity.net/viewtop...r=asc&start=15

2 http://pax.grsecurity.net/

Thank you,

Gian G. Spicuzza
 
Old 01-26-2006, 08:56 PM   #2
cathectic
Member
 
Registered: Sep 2004
Location: UK, Europe
Distribution: Slackware64
Posts: 761

Rep: Reputation: 34
Quote:
The problem seems to first arise from Debian and has already been fixed in their CVS.
Sorry, but as far as I can see from your references, the exact opposite - this has *not* been fixed in Debian, and they're response was for the applications to make the necessary changes, although other people are producing Debian compatible packages that follow what you suggest?

Since this is a fairly large change, I very much doubt Pat will do it. However, you have nothing to lose by e-mailing him with the suggestion.
 
Old 01-31-2006, 02:08 PM   #3
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
There are unofficial libc packages in Debian that will allow you to close this up with mprotect in grsecurity and pax. Here are the lines to add to /etc/apt/sources.list:

# fixed libc6 for use with grsecurity-patch (not supported by debian, their
# libc6 contains a bug) and other fixed packages
deb http://debian.linux-systeme.com sid main
deb-src http://debian.linux-systeme.com sid main

Last edited by int0x80; 01-31-2006 at 04:05 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD vs Linux+PaX+SSP+RSBAC jakaro *BSD 3 06-23-2005 07:05 PM
Excluding a file when using pax tobycatlin Linux - General 9 04-28-2005 11:13 AM
what is nosuid, noexec & nodevel?? coolblue Linux - Newbie 3 03-14-2005 10:58 AM
A Modest Proposal shane25119 General 4 09-30-2004 06:24 PM
Redhat 8.0 glibc 2.3.x update breaks apps Yobgod Linux - Software 0 04-10-2003 07:09 PM


All times are GMT -5. The time now is 03:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration