Lots of new stuff this weekend. The majority of the Glibc tests should pass now. ld -pie is the only option left causing test failures, and hopefully that will be fixed by adding -no-pie to select places.
I started adding colors based on feature, so like ssp commands and descriptions and in red, pax patches/commands are in dark blue, pic/pie for aslr is in light blue because it's somewhat related to pax. I want to add more for fortify_source, blowfish, etc etc. Required stuff is normal black. I don't think it looks too lame. I'm hoping it will help us not use some features while using others... if you don't want to use blowfish then ignore its color. I found the -z lazy patch from binutils-cvs and added it. -z lazy is the default behavior of ld, -z now is the counterpart. It was not completely necessary, but since it is in upstream I figured why not. -no commands are a bit better documented in the book now too. -nonow is the only flag in the gcc specs which is not legitimate to gcc-vanilla/ld-vanilla. I couldn't use -lazy because -l is a linking option... it tries to find a library named azy.so. Added a program to test fortify_source against a strcpy() overflow, and -fstack-protector-all can be tested against the same program. I'm planning to add the strlcpy-strlcat glibc patch from Owl and see how it fares against the strcpy() overflow program. I'm quite sure strlcpy() performs much better than __strcpy_chk() and is probably just as safe. I'm also planning to add the gzip patch to use mktemp, which also means moving mktemp to /bin. The Owl sanitize-environment/enable-secure, for Glibc and Ncurses, look like a good deal too. And of course the blowfish library, again from Owl. I ported the formatguard Immunix patch to glibc-2.4 but have yet to get it to work. The changelog has more details. robert
pgp1Qn1IuhpEO.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
