I guess all the community members should say thank you to PaxTeam pointing out such mistakes.
Who would be the best to push through a fix in glibc? Regards: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962 -- dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962 Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962 On Pén, Március 20, 2009 23:31, [email protected] wrote: > On 19 Mar 2009 at 12:46, John Eckhart wrote: > >> It seems like we have a multiway catch22 as the fix for the kernel was >> correct from both a security and a "trueness to specification" >> standpoint >> and the fix for glibc will likely be a long time in coming. Based on >> that, I >> would think that the best "gentoo" fix is to put the execstack call into >> the >> ebuild (conditionally run on the hardened use flag). However, execstack >> is >> part of the prelink, which, by nature, is not compatible with hardened. >> Any >> suggestions how to proceed? > > prelink is compatible with PaX/ASLR as the mmap address hint is simply > ignored > there. in any case, playing the GNU_STACK games has only one logical end > that > i've advocated since the beginning: ignore it for good. for glibc in this > case > that means moving __stack_prot out of RELRO. > >
