Re: NSA software in Debian
Am 23.01.2014 um 13:31 schrieb Marko Randjelovic <markoran@eunet.rs>:
> On Wed, 22 Jan 2014 16:16:21 -0800
> Andrew Merenbach <andrew@merenbach.com> wrote:
>
>> I installed the i386 architecture and installed the `paxtest' suite. My results were fairly disappointing, to be honest:
>
>>> $ sudo paxtest blackhat
>>> Executable anonymous mapping (mprotect) : Vulnerable
>>> Executable bss (mprotect) : Vulnerable
>>> Executable data (mprotect) : Vulnerable
>>> Executable heap (mprotect) : Vulnerable
>>> Executable stack (mprotect) : Vulnerable
>>> Executable shared library bss (mprotect) : Vulnerable
>>> Executable shared library data (mprotect): Vulnerable
>>> Writable text segments : Vulnerable
>
> It's a good idea to configure the kernel (grsec options) before
> recompiling. Probably MPROTECT feature is not enabled in kernel, or your
> CPU doesn't have NX bit feature.
>
>> A followup there links to the following bug, "linux-2.6: [RFC] Add a grsec featureset to Debian kernels":
>>
>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090>
>
> This would of course be the real solution.
I would also like this. Yesterday I started compiling 3.2.54 with grsec and PaX. A ready debian kernel(-source) with grsec and PaX would be fine.
Currently I am distributing my special packages via my own repository - is there any concern when making it public (copyright, etc.)?
>
> --
> Education is a process of making people see what is advanced and not
> obvious, but also not see what is basic and obvious.
>
> http://markorandjelovic.hopto.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20140123133150.71dbc744@eunet.rs">http://lists.debian.org/[🔎] 20140123133150.71dbc744@eunet.rs
>
Kevin Olbrich.
Reply to: