On Sat, 22 Jan 2022 at 10:52, Andreas Schneider <asn@xxxxxxxxxx> wrote: > > On Tuesday, January 11, 2022 7:00:22 PM CET Steve Grubb wrote: > > Hello, > > > > On Wednesday, January 5, 2022 5:05:26 PM EST Ben Cotton wrote: > > > > > https://fedoraproject.org/wiki/Changes/GNUToolchainF36 > > > > > > == Summary == > > > Update the Fedora 36 GNU Toolchain to gcc 12 and glibc 2.35. > > > > > > The gcc 12 is currently under development and will be included in > > > Fedora 36 upon release. The glibc 2.35 change will be tracked in this > > > top-level GNU Toolchain system-wide update. > > > > > > Reading through the GCC 12 changes, there is a significant new feature to > > GCC > that would appear to be useful for security. There is a new: > > > > -ftrivial-auto-var-init=zero > > > > flag that initializes all stack variables to zero. Zero being a nice safe > > value that makes programs crash instead of being exploitable. > > > > Are there plans to enable this flag so that all applications, but more > > importantly the kernel, are hardened against uninitialized stack variables? > > > > This is one of the major classes of security bugs that could potentially > > be eliminated during this mass rebuild. > > I don't know if it is still the case, but OpenSSL used uninitialized stack > variables on purpose! If you initialize them to zero might end up with the > same disaster as Debian had some years ago! > > https://www.debian.org/security/2008/dsa-1571 IIRC it wasn't that simple. The necessary entropy was *not* coming from uninitialized bytes. There were other sources of *real* entropy, but the Debian patch caused *none* of it to be added to the pool (except for the PID). Zeroing the uninitialized bytes would *not* hurt as long as the *real* sources of entropy still get added. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
