[Openvas-distro] Hardening OpenVAS
Tim Brown
timb at openvas.org
Wed Aug 19 20:54:24 CEST 2009
On Wednesday 19 August 2009 16:25:52 Stephan Kleine wrote:
> I would love it if you fix your code to comply with those. E.g.
> Mandriva 2009.1 uses "-Werror=format-security" by default and
> currently all builds for it are broken (see
> http://wald.intevation.org/tracker/index.php?func=detail&aid=1051&group_id=
>29&atid=220 )
Curious, that builds fine for me on Debian using the same flags... didn't get
a similar error.... In fact, the latest versions of all key modules build
fine. Looks like Felix's patch (in the bug report) which is in trunk and
current releases does the trick in the first case. The later cases you report
are a bug^Wfeature in gcc IMO. It does not appear that gcc is able to
determine that the format string is generated by GNU gettext and therefore
throws a wobbly. Not sure how to resolve, so if anyone else has thoughts I'd
be please to hear them. *wanders over to gcc on FreeNode*
> Also most newer distros already use -D_FORTIFY_SOURCE=2 and
> -fstack-protector so those shouldn't be a problem.
Yes, I know.. my original thoughts were primarily around being a good Debian
citizen and applying the hardening wrapper, but I figured I might as well let
other package maintainers know.
> Regarding -fPIE -pie, ld -z relro & ld -z now I have no idea but just
> would like to ask you to only use them __additionally__ to the distros
> compilation flags in $RPM_OPT_FLAGS (and whatever Debian uses) instead
> of trying to replace them.
At this stage I'm not proposing to change the underlying build platform but
simply turn on hardening for Debian. Of course if it works, then we might
consider how to extend it out to be the default irrespective of the platform.
Tim
--
Tim Brown
<mailto:timb at openvas.org>
<http://www.openvas.org/>
More information about the Openvas-distro
mailing list