Re: F22 System Wide Change: Harden all packages with position-independent code

[Moez Roy <moez.roy@xxxxxxxxx>]

On Wed, Jan 7, 2015 at 5:30 AM, Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote:

We just went over something very much like this for x86_64 packages
with FESCo ticket 1113:

https://fedorahosted.org/fesco/ticket/1113

Could you perhaps review that and elaborate on the differences between
that proposal and this one if there are any?  Additionally, could you
cover any of the concerns listed there that apply to this proposal?

josh
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

​Hi Josh,

That ticket is over 20 months old. It was discussed at time when Fedora 19 was in beta stage. I believe alot has changed since then.

Since Fedora 20 pre-link is already disabled by default.

The security landscape has changed. With the major publicity from Heartbleed and ShellShock, I believe more people are now security conscious than before. Hopefully, they will understand the need for compromise in system performance in order to protect the system from being exploited.

For example: here http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html (CVE-2014-8485) it states "Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of the recent bugs in bash."
Which links here: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html (CVE-2014-6277) and (CVE-2014-6278) and states "The issue is also made worse by the fact that only relatively few distributions were building bash as a position-independent executable that could be fully protected by ASLR."

-Moez

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct