[Pidgin] #15290: Compile everything with secure flags

Pidgin trac at pidgin.im
Sun Aug 26 22:05:55 EDT 2012 

#15290: Compile everything with secure flags
-------------------------------------+--------------------------------------
 Reporter:  DrWhax                   |        Owner:  rekkanoryo  
     Type:  defect                   |       Status:  new         
Milestone:                           |    Component:  unclassified
  Version:  2.10.6                   |   Resolution:              
 Keywords:  security aslr dep build  |  
-------------------------------------+--------------------------------------

Comment(by ioerror):

 Replying to [comment:1 Robby]:
 > Replying to [ticket:15290 DrWhax]:
 > > I hope we can come up with a secure build sequence which will
 guarantee, NX, DEP, ASLR, /GS, SafeSEH(am I missing something?)
 > Who's "we" then?

 Anyone involved in helping to do this kind of work - it seems like the
 right answer is to add those flags to the Makefile.mingw - here's what I
 recently added to pidgin-otr to improve compile and linking hardening:
 {{{
 CC_HARDENING_OPTIONS ?= -fstack-protector-all -fPIE -Wstack-protector
 -fwrapv --param ssp-buffer-size=1
 LD_HARDENING_OPTIONS ?= --dynamicbase --nxcompat -pie
 }}}

 Later, I just added those two variables into the proper CC and LDFLAGS:
 {{{
 override CFLAGS += -g -O2 -Wall $(CC_HARDENING_OPTIONS)
 LDFLAGS = -Wl,--enable-auto-image-base $(LD_HARDENING_OPTIONS) -lssp
 }}}

 ''-lssp'' is required to get the stack smashing protection libraries
 linked in properly.

 DrWhax - if you build with those flags, what is missing?

 The full flags used in pidgin-otr are
 [http://otr.git.sourceforge.net/git/gitweb.cgi?p=otr/pidgin-
 otr;a=blob;f=Makefile.mingw;h=4a0bd8d034f382cecb246e4111b03c22c7548c70;hb=HEAD
 here]:
 {{{

 # Compiling with -fPIE and linking with -pie causes the plugin to crash
 # on load, so we'll skip those.
 CC_HARDENING_OPTIONS ?= -fstack-protector-all -Wstack-protector -fwrapv \
         --param ssp-buffer-size=1 -fno-strict-overflow -Wall -Wextra \
         -Wno-unused-parameter -Wno-missing-field-initializers -Wformat-
 security
 # In theory, we'd also like the following:
 # LD_HARDENING_OPTIONS ?= -dynamicbase --nxcompat -pie -z relro -z now
 LD_HARDENING_OPTIONS ?= --dynamicbase --nxcompat
 }}}

 And we then set things up accordingly:
 {{{
 LDFLAGS = -Wl,--enable-auto-image-base $(LD_HARDENING_OPTIONS)
 LDLIBS = -lssp
 override CFLAGS += -g -O2 -Wall $(CC_HARDENING_OPTIONS)
 }}}

 If any of that works, I think it should be trivial to generate a patch
 that adds those hardening options.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15290#comment:2>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list