Re: Building a distribution from source?
On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> On Fri, 5 Dec 2003 10:39, Steve Kemp <email@example.com> wrote:
> > ? I've been experimenting with producing a hardened Debian derivitive
> > ?as a small piece of paid work. ?This mostly means compiling things with
> > ?a stackguard compiler, using format guard, and enforcing policies, etc.
> Are you using any extra patches to GCC? Or just a GCC built with the
> propolice option?
Yes I am using slightly modified patches from http://www.immunix.org/.
The propolice is something that I shall be evaluating next.
> How difficult is it to bootstrap this? Can you compile glibc with these
> options without affecting anything else?
So far I have built glibc with this modified GCC, (only so that I
could apply the "FormatGuard" patches which are designed to combat
format string attacks. Recompiling glibc wasn't something that I
really wanted to try on the PII 233Mhz machine I have as my test box!
Bootstrapping was very simple just a matter of applying the patche to
GCC and rebuilding it, then having installed it I rebuilt several test
packages which were exploitable previously and failed to be exploitable
afterwards. (With the caveats that this patch doesnt protect against
I confess that I haven't rebuilt _all_ the interesting packages yet
the kernel and X11 being the most likely to fail - but the packages
that I did build, bash, perl, etc did compile with no observed side
effects thus far.
# Debian Security Audit Project