Hi Tim, On Wed, 30 Jun 2021 19:37:18 +0200, Tim Kosse <tim.ko...@filezilla-project.org> wrote: > I have noticed that libgcc_s_seh-1.dll as distributed by this package > has not been built with support for the NX and ASLR security features > enabled, as can be see with objdump: > > ~$ x86_64-w64-mingw32-objdump -p > /usr/lib/gcc/x86_64-w64-mingw32/10-win32/libgcc_s_seh-1.dll | grep > DllCharacteristics > DllCharacteristics 00000000 > > It looks like the other .dlls in this package are also missing these > important flags. I have not checked whether this affects the > corresponding package with the 32bit DLLs. > > This is a regression from buster, where this file is built with support > for both features: > > ~$ x86_64-w64-mingw32-objdump -p > /usr/lib/gcc/x86_64-w64-mingw32/8.3-win32/libgcc_s_seh-1.dll | grep > DllCharacteristics > DllCharacteristics 00000160
Not quite: the DLLs were built with those flags set, but they weren’t built with support for the features — as a result, in many cases the protection features were unusable and even misleading. See https://www.kb.cert.org/vuls/id/307144/ and the links therein for details. > According to > https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32, > > 00000160 decomposes into > IMAGE_DLLCHARACTERISTICS_NX_COMPAT, > IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE and > IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA > > These libraries should be built with both mitigations enabled. I agree, at least those options which make sense for DLLs, but it’s still not straightforward. Ideally, support for this should come from upstream (GCC and MinGW-w64), not just the Debian packages. Regards, Stephen
pgpLgp09v8JH3.pgp
Description: OpenPGP digital signature
