PROPOSAL: glibc with --noexec (new binary breaks PaX)
Hello,
I'd suggest to rebuild all required packages (libraries) with CFLAGS -Wa,--noexecstack so that assembled modules get tagged as not needing executable stacks.1 The new binaries break PaX2 and thus weaken kernel security if one is using PaX to protect from overflows. Patched binaries for 10.1 have been released at: http://www.cerebrallab.com/files.php...ectfolder&id=3 But binaries for newer slackware versions are not available. I would like to send a formal request to Patrick to compile all future binaries with --noexecstack, but I felt it would be better to recieve input from the slackware community before doing such. The problem seems to first arise from Debian and has already been fixed in their CVS. I know it's a bother to recompile it, but it will, IMHO, improve security. References: 1 http://forums.grsecurity.net/viewtop...r=asc&start=15 2 http://pax.grsecurity.net/ Thank you, Gian G. Spicuzza |
Quote:
Since this is a fairly large change, I very much doubt Pat will do it. However, you have nothing to lose by e-mailing him with the suggestion. |
There are unofficial libc packages in Debian that will allow you to close this up with mprotect in grsecurity and pax. Here are the lines to add to /etc/apt/sources.list:
# fixed libc6 for use with grsecurity-patch (not supported by debian, their # libc6 contains a bug) and other fixed packages deb http://debian.linux-systeme.com sid main deb-src http://debian.linux-systeme.com sid main |
All times are GMT -5. The time now is 05:07 PM. |