Hello, On Mon, Jan 23, 2012 at 09:06:38PM +0200, Török Edwin wrote: > PIE refers to -fPIE from GCC of course. > Using that flag doesn't completely prevent the exploit though. ... > Apparently packages should adopt hardening flags for wheezy: > http://wiki.debian.org/Hardening#State_of_implementation: > > After their meeting on the 14-16 January 2011, the > > debian security team announced in an email they > > intend to push the inclusion of hardening features > > for the wheezy release.
By the way, all packages that contain suid binaries (and/or libraries these binaries depend on) should be hardened as much as possible anyway, and this doesn't end with -fPIE. And IMO this shouldn't be intended to work around the CVE-2012-0056 (because ASLR/PIE doesn't prevent the kernel bug to be exploited, according to PaX team). But I'm fine with using CVE-2012-0056 as a trigger to incorporate some Hardening into shadow. xrgtn@ux380n:~$ hardening-check /usr/sbin/sshd /usr/sbin/sshd: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes Read-only relocations: yes Immediate binding: yes xrgtn@ux380n:~$ hardening-check /bin/su /bin/su: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: no, not found! Read-only relocations: no, not found! Immediate binding: no, not found! xrgtn@ux380n:~$ Nicolas, please consider what can be done to fix that (or at least some of the above). Currently I'm reading the http://wiki.debian.org/Hardening#Using_Hardening_Options part, but it's still unclear for me how to apply this stuff to shadow builds (assuming that the last time I built shadow was more than 4 years ago IIRC). -- With best regards, xrgtn
signature.asc
Description: Digital signature