On On Sat, Jul 1, 2017 at 09:54 AM, arch-general <arch-
general(a)archlinux.org> wrote:
> >On 2016-10-24 05:56, Allan McRae wrote:
> >*> 1) building gcc to enable PIE by default
> *>
> >I am in the middle of rebuilding gcc with --enable-default-pie. When
it
> >finishes, I will start a todo for rebuilding packages with static
libraries.
> >
> >I also enabled --enable-default-ssp, which means that
> >-fstack-protector-strong will be dropped from our CFLAGS (as it will
be
> >enforced by gcc) on the next opportunity.
> >
> >Bartłomiej
>
> Does the -enable-default-ssp enforce also -fstack-check=specific to
protect
> from stack clash [1], gentoo do it (except on vlc and tcl which not build
> but those are upstream bugs) [2]
>
> [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
> [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash
>
> *Pablo Lezaeta*
>
No it doesn't but original plan [1] was to enable -fstack-check, -fno-plt and
-z,now to default flags in makepkg.conf. I hope Pacman maintainer will add
those before mass rebuild started so everythig will be done at once.
[1] https://lists.archlinux.org/pipermail/arch-dev-
public/2016-October/028405.html
\-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication
For everyone. https://www.msgsafe.io
>On 2016-10-24 05:56, Allan McRae wrote:
>*> 1) building gcc to enable PIE by default
*>
>I am in the middle of rebuilding gcc with --enable-default-pie. When it
>finishes, I will start a todo for rebuilding packages with static libraries.
>
>I also enabled --enable-default-ssp, which means that
>-fstack-protector-strong will be dropped from our CFLAGS (as it will be
>enforced by gcc) on the next opportunity.
>
>Bartłomiej
Does the -enable-default-ssp enforce also -fstack-check=specific to protect
from stack clash [1], gentoo do it (except on vlc and tcl which not build
but those are upstream bugs) [2]
[1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
[2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash
*Pablo Lezaeta*