Summary: | net-misc/openssh does not respect stack-protection | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Agostino Sarubbo <ago> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | haubi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | proposed patch |
Description
Agostino Sarubbo
2017-04-23 11:02:25 UTC
Created attachment 566546 [details, diff]
proposed patch
Would need revbump though.
Thanks for the patch..but I think it will not work with some stack-protector settings. It think is fine modify the buildsystem to let the user cflags after the default. (In reply to Agostino Sarubbo from comment #2) > Thanks for the patch..but I think it will not work with some stack-protector > settings. The patch should disable openssh's logic to add any stack-protector flag. What do you think at here? > It think is fine modify the buildsystem to let the user cflags after the > default. Just found the configure flags --with-cflags-after and --with-ldflags-after. However, these are evaluated after running the configure checks... (In reply to Michael Haubenwallner from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > Thanks for the patch..but I think it will not work with some stack-protector > > settings. > > The patch should disable openssh's logic to add any stack-protector flag. > What do you think at here? > > > It think is fine modify the buildsystem to let the user cflags after the > > default. > > Just found the configure flags --with-cflags-after and --with-ldflags-after. > However, these are evaluated after running the configure checks... While it covers the scope, I guess it won't work if user would use something different than -fstack-protector-all (e.g. fstack-protector-strong) so the better thing to do here might be just change the order of default flags vs user flags, where user flags are the latest Since nowadays the current toolchain uses -fstack-protector-strong, all we have to do is to use --without-stackprotect Basically we are doing the same with --without-hardening: https://github.com/gentoo/gentoo/blob/be46888368631cff17aebdec768f78e3ffae186d/net-misc/openssh/openssh-9.6_p1-r3.ebuild#L180 |