On Tue, Apr 17, 2012 at 6:15 AM, Crusty Saint wrote: > Hi, > > Regarding https://www.samba.org/samba/security/CVE-2012-1182 > > I'm currently step-by-step looking into compiling my own debs and > recompiling existing once ( ignoring that optimisations are often > overrated ) What i'm most interested in though is the > hardening@compile-time of packages. Even if this means generic > protection. Thinking some is better then none. For this i've, so far, > used hardening-wrapper and hardening-includes packages. Though i'm not > sure if i'm even using hardening-includes correctly at this time i > dare to present a question. > > Part of the description of the CVE reads : > > "The flaw caused checks on the variable containing the length of an > allocated array to be done independently from the checks on the > variable used to allocate the memory for that array. As both these > variables are controlled by the connecting client it makes it possible > for a specially crafted RPC call to cause the server to execute > arbitrary code." > > > Would recompiling with a DEB_BUILD_HARDENING=1 and corresponding > configuration as below in /etc/hardening-wrapper.conf have mitigated > against this particular exploit vector ? Though part of the attack > depends on logic i assume the 'specially crafted RPC call' could've > been mitigated against.
I don't really have an answer since I have not personally studied this issue, but anyone that may have interest in any particularr security issue can made use of the informative debian security tracker as a spring board for their own research. For example, if I wanted to better understand this issue, I would start at [0], which would eventually lead me to [1], which includes patches that samba applied. I could then study those to see if hardening made a difference. > *glops* My /etc/hardening-wrapper.conf looks like > > DEB_BUILD_HARDENING=1 > DEB_BUILD_HARDENING_DEBUG=0 > DEB_BUILD_HARDENING_STACKPROTECTOR=1 > DEB_BUILD_HARDENING_RELRO=1 > DEB_BUILD_HARDENING_FORTIFY=1 > DEB_BUILD_HARDENING_PIE=1 > DEB_BUILD_HARDENING_FORMAT=1 It's quite a bit easier now. You can set debian/compat to 9 in the source package, and hardening will be done automagically (you may also want to set "export DEB_BUILT_MAINT_OPTIONS=hardening=+all" in debian/rules to get all hardening enabled). Best wishes, Mike [0] http://security-tracker.debian.org/tracker/CVE-2012-1182 [1] https://bugzilla.samba.org/show_bug.cgi?id=8815 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mpc0fnfb3kbfhw2xhxvmatjzdhuhfcfa2p6+dotxi6...@mail.gmail.com
