On Sunday, September 16, 2018, Wes Turner <wes.tur...@gmail.com> wrote:
> Should Python builds add `-mindirect-branch=thunk > -mindirect-branch-register` to CFLAGS? > > Where would this be to be added in the build scripts with which > architectures? > > /QSpectre is the MSVC build flag for Spectre Variant 1: > > > The /Qspectre option is available in Visual Studio 2017 version 15.7 and > later. > > https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017 > > security@ directed me to the issue tracker / lists, > so I'm forwarding this to python-dev and python-ideas, as well. > > # Forwarded message > From: *Wes Turner* <wes.tur...@gmail.com> > Date: Wednesday, September 12, 2018 > Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk > -mindirect-branch-register > To: distutils-sig <distutils-...@python.org> > > > Should C extensions that compile all add > `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the > risk of Spectre variant 2 (which does indeed affect user space applications > as well as kernels)? > > [1] https://github.com/speed47/spectre-meltdown-checker/issues/ > 119#issuecomment-361432244 > [2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) > [3] https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Specu > lative_execution_exploit_variants > > On Wednesday, September 12, 2018, Wes Turner <wes.tur...@gmail.com> wrote: >> >>> On Wednesday, September 12, 2018, Joni Orponen <j.orpo...@4teamwork.ch> >>> wrote: >>> >>>> On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <wes.tur...@gmail.com> >>>> wrote: >>>> >>>>> Should C extensions that compile all add >>>>> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate >>>>> the risk of Spectre variant 2 (which does indeed affect user space >>>>> applications as well as kernels)? >>>>> >>>> >>>> Are those available on GCC <= 4.2.0 as per PEP 513? >>>> >>> >>> AFAIU, only >>> GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled >>> by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS. >>> >> > On Wednesday, September 12, 2018, Wes Turner <wes.tur...@gmail.com> > wrote: > >> "What is a retpoline and how does it work?" >> https://stackoverflow.com/questions/48089426/what-is-a-retpo >> line-and-how-does-it-work >> >> There's probably already been an ANN announce about this? If not, someone with appropriate security posture and syntax could address: Whether python.org binaries are already rebuilt Whether OS package binaries are already rebuilt Whether anaconda binaries are already rebuilt Whether C extension binaries on pypi are already rebuilt
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
