Am 20.02.2015 um 18:21 schrieb Peter Robinson:
I've never argumented against the goal that web browser or all network aware services should be PIEs, after all, why would we (Ulrich Drepper and myself) add the PIE support into the toolchain otherwise? I'm just not convinced most of the unpriviledged programs should be PIEs.Thanks to e.g. e-mail about any program can be made to run untrusted data, e.g. PDF readers, office suites, image viewers, if you open an attachment of the respective type. Therefore it makes a sane default IMHO. It is also something to attract users that care about security very much to Fedora.So your saying here that this is miraculously going to stop people from running random binaries that are being emailed to them?
nobody said thatbut it may stop a otherwise successful exploit in the application opening the malicious attachment targeting a unknown or unfixed security hole
just going stop people from running random non PIC/PIE binaries? I don't buy that this is a miracle fix to that problem. How then does it affect other third party binaries not compiled with PIC/PIE that people might wish to run?
you can't fix and protect every binary on the world but you can raise the bar for distribution packages without PIC/PIE ASLR won't work
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
