[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Introducing security hardening features for Lenny



On Tue, Jan 29, 2008 at 09:16:24PM +0000, Moritz Muehlenhoff wrote:
> Fortify Source
> ==============
> 
> This feature adds validation for internal C functions such as strcpy
> for buffer sizes known during compile time. While vulnerabilities in
> the functions it protects have become uncommon in high-profile apps,
> it will be useful for fringe packages we have in the archive.
> 
> This feature is present in glibc since version 2.5, and is enabled
> through the use of "-D_FORTIFY_SOURCE=2" and "-O2" or higher.
> 

  Well, -D_FORTIFY_SOURCE=2 is a severe performance loss in many
applications, and I wouldn't recommend activating it by default. =1 has
not the drawback with that regard though, but is less useful security
wise (though it catch many programmatic issues, and full archive rebuild
with -D_FORTIFY_SOURCE=1 would be worthwile independently of this).

Attachment: pgpZ_FubbL_tj.pgp
Description: PGP signature


Reply to: