Hi Kees, On Mon, Aug 24, 2009 at 07:04:01PM -0700, Kees Cook wrote: > It seems that john is built (in some situation) against assembly code that > lack stack markings[1]. This results in the entire program being built > with an executable stack. > > The attached patch solve this by adding a default ASFLAGS option to turn > off executable stacks when assembling.
Yes, I am aware of this issue - for some years now, in fact. I did not fix it yet because I was worried that the proposed fixes would break portability to some older and/or non-Linux systems, and I did not have time to check (had more important stuff to do). Well, I checked the .section approach as used by Gentoo on an 11 years old Linux system just recently - and it worked (in the sense that it did not break the compile). So I think I will just use it with a proper #ifdef. As to the ASFLAGS change, it does break things on this same ancient system: gcc -c -Wa,--noexecstack x86.S /usr/i486-linux/bin/as: unrecognized option `--noexecstack' GNU assembler version 980303 (i586-linux), using BFD version 2.8.1.0.23 Meanwhile, it is up to you to choose any of these approaches for the Debian and Ubuntu packages. On a related note, I think that exec-shield lacks an enforcing mode (sysctl'able) where it would ignore those flags, because most binaries that it treats as potentially requiring executable stack actually don't. Thanks, Alexander -- Pkg-john-devel mailing list Pkg-john-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-john-devel