Package: gcc-mingw-w64-x86-64-win32-runtime
Version: 10.2.1-6+24.2
Severity: important
X-Debbugs-Cc: tim.ko...@filezilla-project.org
Dear Maintainer,
I have noticed that libgcc_s_seh-1.dll as distributed by this package
has not been built with support for the NX and ASLR security features
enabled, as can be see with objdump:
~$ x86_64-w64-mingw32-objdump -p
/usr/lib/gcc/x86_64-w64-mingw32/10-win32/libgcc_s_seh-1.dll | grep
DllCharacteristics
DllCharacteristics 00000000
It looks like the other .dlls in this package are also missing these
important flags. I have not checked whether this affects the
corresponding package with the 32bit DLLs.
This is a regression from buster, where this file is built with support
for both features:
~$ x86_64-w64-mingw32-objdump -p
/usr/lib/gcc/x86_64-w64-mingw32/8.3-win32/libgcc_s_seh-1.dll | grep
DllCharacteristics
DllCharacteristics 00000160
According to
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32,
00000160 decomposes into
IMAGE_DLLCHARACTERISTICS_NX_COMPAT,
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE and
IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA
These libraries should be built with both mitigations enabled.
Regards,
Tim Kosse
-- System Information:
Debian Release: 11.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-0.bpo.5-amd64 (SMP w/32 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages gcc-mingw-w64-x86-64-win32-runtime depends on:
ii gcc-mingw-w64-base 10.2.1-6+24.2
gcc-mingw-w64-x86-64-win32-runtime recommends no packages.
gcc-mingw-w64-x86-64-win32-runtime suggests no packages.
-- no debconf information