[Pidgin] #15290: Compile everything with secure flags

Pidgin trac at pidgin.im
Sun Aug 26 22:05:55 EDT 2012

#15290: Compile everything with secure flags
 Reporter:  DrWhax                   |        Owner:  rekkanoryo  
     Type:  defect                   |       Status:  new         
Milestone:                           |    Component:  unclassified
  Version:  2.10.6                   |   Resolution:              
 Keywords:  security aslr dep build  |  

Comment(by ioerror):

 Replying to [comment:1 Robby]:
 > Replying to [ticket:15290 DrWhax]:
 > > I hope we can come up with a secure build sequence which will
 guarantee, NX, DEP, ASLR, /GS, SafeSEH(am I missing something?)
 > Who's "we" then?

 Anyone involved in helping to do this kind of work - it seems like the
 right answer is to add those flags to the Makefile.mingw - here's what I
 recently added to pidgin-otr to improve compile and linking hardening:
 CC_HARDENING_OPTIONS ?= -fstack-protector-all -fPIE -Wstack-protector
 -fwrapv --param ssp-buffer-size=1
 LD_HARDENING_OPTIONS ?= --dynamicbase --nxcompat -pie

 Later, I just added those two variables into the proper CC and LDFLAGS:
 override CFLAGS += -g -O2 -Wall $(CC_HARDENING_OPTIONS)
 LDFLAGS = -Wl,--enable-auto-image-base $(LD_HARDENING_OPTIONS) -lssp

 ''-lssp'' is required to get the stack smashing protection libraries
 linked in properly.

 DrWhax - if you build with those flags, what is missing?

 The full flags used in pidgin-otr are

 # Compiling with -fPIE and linking with -pie causes the plugin to crash
 # on load, so we'll skip those.
 CC_HARDENING_OPTIONS ?= -fstack-protector-all -Wstack-protector -fwrapv \
         --param ssp-buffer-size=1 -fno-strict-overflow -Wall -Wextra \
         -Wno-unused-parameter -Wno-missing-field-initializers -Wformat-
 # In theory, we'd also like the following:
 # LD_HARDENING_OPTIONS ?= -dynamicbase --nxcompat -pie -z relro -z now
 LD_HARDENING_OPTIONS ?= --dynamicbase --nxcompat

 And we then set things up accordingly:
 LDFLAGS = -Wl,--enable-auto-image-base $(LD_HARDENING_OPTIONS)
 LDLIBS = -lssp
 override CFLAGS += -g -O2 -Wall $(CC_HARDENING_OPTIONS)

 If any of that works, I think it should be trivial to generate a patch
 that adds those hardening options.

Ticket URL: <http://developer.pidgin.im/ticket/15290#comment:2>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list