Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: prince-of-persia
Version : 1.20
Upstream Author : Dávid Nagy
* URL : https://github.com/NagyD/SDLPoP
* License : GPL-3+
Programming Lang: C
Description : SDL port of the classic Prince
On Sat, Sep 21, 2013 at 02:46:34PM +0200, Bas Wijnen wrote:
> On Fri, Sep 20, 2013 at 10:12:16PM -0700, Kees Cook wrote:
> > This is absolutely a bug in glibc. While the spec can say "undefined", it
> > is, in fact, not undefined. It worked in a very specific way for ove
> this fortification with
>
> DEB_BUILD_HARDENING_FORTIFY := 0
> preceding inclusion of /usr/share/hardening-includes/hardening.make
Instead, if eglibc continues to remain unfixed, you can replace the
"buggy" sprintf calls with the
On Wed, Jun 20, 2012 at 12:56:21PM -0700, Kees Cook wrote:
> If you're building with -O1 (or higher) and -D_FORTIFY_SOURCE=2, the
> compiler is always always going to be doing the right thing. :)
Heh, this was supposed to read "almost always&quo
g that change causes hardening-check to see the __read_chk call,
then the compiler is being smart and noticed that it doesn't need to do
extra work at run time to verify the arguments, and you're clear to put
in a lintian override.
-Kees
--
Kees Cook
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: libseccomp
Version : 0.1.0
Upstream Author : Paul Moore
* URL : https://sourceforge.net/projects/libseccomp/
* License : LGPLv2
Programming Lang: C
Description : High level interface to
On Sun, Apr 01, 2012 at 12:49:37AM -0700, Kees Cook wrote:
> I'm going to work on getting this graphed daily
I've now added[1] the graphs[2]. In a few weeks, it'll be easier to see
the slopes. :)
-Kees
[1] http://wiki.debian.org/Statistics
[2] http://outflux.net/debian/hardeni
On Sun, Apr 01, 2012 at 05:24:00PM +0800, Paul Wise wrote:
> On Sun, Apr 1, 2012 at 3:49 PM, Kees Cook wrote:
> > I'm going to work on getting this graphed daily, like the debhelper
> > statistics[3].
>
> If you do, please add that to the statistics wiki page:
&
wiki.debian.org/Hardening#Validation
[3]
http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-07-10-debhelper-statistics-redux.html
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
wi
On Fri, Mar 02, 2012 at 07:25:25PM +0100, Moritz Mühlenhoff wrote:
> Kees Cook schrieb:
> > In the mean time, I'll continue to work on the crappy
> > heuristic checks. ;)
>
> Shall we move hardening-check to devscripts, now that
> dpkg-buildflags slowly
On Fri, Mar 02, 2012 at 07:41:25PM +0100, Julian Taylor wrote:
> On 03/02/2012 05:53 PM, Kees Cook wrote:
> > On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote:
> >> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
> >>> Kees Cook writes:
>
On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote:
> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote:
> > Kees Cook writes:
> >
> > > Speaking to the false positives problem, I've discussed with some people
> > > the idea of having b
dening=+all
In this situation, you've got NX for sure, full ASLR in a large memory
space, stack protector, and the libc fortifications in place. It'll
always be an arms race, but why knowingly be behind? :)
-Kees
--
Kees Cook@debian.org
--
To
res do not have mmap ASLR, so in that case, all the
libraries will be in the same place too. (And any arch without mmap ASLR
also has no text (PIE) ASLR.)
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.
problem, I've discussed with some
people the idea of having build flags be included in some sort of ELF
comment-like area that can be examined. That way it's becomes trivial to
answer "how was this built?" and all these crapy heuristic checks that
get thrown away. In the mea
ages.)
>
> Does anyone have a better idea how to do this? Know about other
> packages that are affected?
It's a trivial patch[1] to fix "at". How about just backporting that
change to stable, to avoid that known trouble too? This is what Ubuntu
did fo
On Wed, Dec 14, 2011 at 10:48:00AM +0700, Jonas Smedegaard wrote:
> On 11-12-13 at 03:10pm, Kees Cook wrote:
> > Notably, I'm curious about this:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964
> >
> > I think this is broken behavior on CDBS's p
true in the face of:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966
Which means there's no way sort of calling dpkg-buildflags directly to get
a fully hardening build using only CDBS. :(
What's the right way forward to have CDBS and dpkg-buildflags play nice
together
dhtest-1.0'
echo CPPFLAGS: -D_FORTIFY_SOURCE=2
CPPFLAGS: -D_FORTIFY_SOURCE=2
echo DEB_HOST_MULTIARCH:
DEB_HOST_MULTIARCH:
Which means I can't use DEB_HOST_MULTIARCH in the config-scripts,
unfortunately.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSC
ng a close second (372310, 438601, 632860).
So, how about:
- Have debhelper do the executable marking in some way. (Yet another
config to list the config scripts?) Or, I guess, just ignore this
problem since it's only a problem in source-format-1.
- Export DEB_* environment variabl
On Thu, Sep 29, 2011 at 06:41:29AM +0900, Charles Plessy wrote:
> Le Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook a écrit :
> > On Fri, Sep 23, 2011 at 08:17:54AM +0200, Raphael Hertzog wrote:
> > > Two hardening features are not enabled by default: PIE and bindnow.
>
On Wed, Sep 28, 2011 at 11:38:06PM +0200, Mike Hommey wrote:
> On Wed, Sep 28, 2011 at 10:52:15PM +0300, Riku Voipio wrote:
> > On Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook wrote:
> > > Just to be explicit, PIE tends to have small (<1%) performance hits on
&
On Wed, Sep 28, 2011 at 10:52:15PM +0300, Riku Voipio wrote:
> On Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook wrote:
> > Just to be explicit, PIE tends to have small (<1%) performance hits on
> > register-starved architectures (i386) in most cases, for for certain work
>
pper or hardening-includes, you were
effectively using "+pie,+bindnow", so when converting, please continue to
build with PIE and bindnow. :)
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@list
gure a combination of looking at debian/control, compat for
the build system or hardening-wrapper use, and maybe build log analysis and
it'd be good to go.
-Kees
[1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
--
Kees Cook@debi
On Tue, Sep 13, 2011 at 07:01:13PM -0400, Michael Gilbert wrote:
> On Tue, 13 Sep 2011 15:38:29 -0700 Kees Cook wrote:
> > I would like to propose a release goal of enabling hardening build flags[1]
> > for all C/C++ packages in the archive[2].
>
> I think "
Hi,
On Tue, Sep 13, 2011 at 07:24:10PM -0400, Michael Gilbert wrote:
> On Tue, 13 Sep 2011 15:38:29 -0700 Kees Cook wrote:
> > [1] http://wiki.debian.org/Hardening
You mean http://wiki.debian.org/ReleaseGoals/Hardening ?
> It looks like we're duplicating wiki work. T
n.org/debian-devel/2011/09/msg00071.html
[5]
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?view=log
http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=log
--
Kees Cook@debian.org
-
On Tue, Sep 06, 2011 at 04:01:04PM +, The Fungi wrote:
> On Mon, Sep 05, 2011 at 02:22:39PM -0700, Kees Cook wrote:
> [...]
> > It might be better to extend it further, like "all network daemons
> > using dpkg-buildflags properly and enabling PIE"
> [...]
>
od, I'm happy to help as well.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110908010421.gq31...@outflux.net
ool to have
something familiar with llvm (or other C compilers in use) update
http://wiki.debian.org/Hardening
with the command line arguments needs to enable each feature too.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-re
zing the
> build logs has been suggested (see #628516).
There's already "hardening-includes"'s hardening-check script, which
would be nice to merge into lintian somehow.
-Kees
--
Kees Cook@debian.org
--
To UN
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: scantool
Version : 1.21
Upstream Author : ScanTool.net LLC
* URL :
http://www.scantool.net/scantool/downloads/diagnostic-software/
* License : GPL-2+
Programming Lang: C
Description
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: apparmor
Version : 2.6.1
Upstream Author : AppArmor project members
* URL : http://apparmor.net/
* License : GPL-2, LGPL-2
Programming Lang: C, C++, Perl, Python
Description : AppArmor
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: duo-unix
Version : 1.5
Upstream Author : Duo Security
* URL : https://github.com/duosecurity/duo_unix
* License : GPL-2+
Programming Lang: C
Description : Duo Security two-factor
Hi,
On Thu, Nov 18, 2010 at 08:37:44PM +0100, Julien Cristau wrote:
> On Thu, Nov 18, 2010 at 11:23:39 -0800, Kees Cook wrote:
>
> > On Thu, Nov 11, 2010 at 13:52:12 +, maximilian attems wrote:
> > > LSM: Enable AppArmor? as well
ill missing one additional patch from me...)
[2]
https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101118192339.gf13...@outflux.net
Hi,
On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
>
> > There is a maintained (by RedHat) patch for dealing with PIE. I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
>
On Thu, Dec 24, 2009 at 12:23:01PM +0100, Stefan Fritsch wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> >>>With the new package, the arch-specific logic for hardening defaults
> >>>is in one place, and a maintainer can selectively disable anything they
&g
Hi Henrique,
On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> > That's certainly a viable plan. This is kind of the approach we took in
> > Ubuntu for the PIE feature. We also considered packages with a l
[dropped debian-gcc from the CCs as this is probably rather off topic now]
Hi Petter,
On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
> [Kees Cook]
> > As an example, I have a debdiff against openssh to use it:
> > http://bugs.debian.org/cgi-bin/bugreport
Hi,
On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
> On 2009-11-05, Kees Cook wrote:
> > This would certainly be better than nothing, and better than the
> > hardening-wrapper package, but it would require that every package in
> > Debian be modifie
On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 27 Oct 2009, Kees Cook wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I would l
Hi,
On Tue, Oct 27, 2009 at 10:19:22PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 27 Oct 2009, Kees Cook wrote:
> > > > It seems the kernel will not be happy if the stack protector is switched
> > > > on unconditionally:
> > > >
> > > >
Hi,
On Tue, Oct 27, 2009 at 01:30:12PM -0200, Henrique de Moraes Holschuh wrote:
> On Mon, 26 Oct 2009, Gabor Gombas wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> How do they work? Do they also change the free-standing c
Hi,
On Mon, Oct 26, 2009 at 01:36:28PM +0100, Florian Weimer wrote:
> * Kees Cook:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> Seems a good idea to me. But I think we should defer the required
> full archive reb
8 R_X86_64_JUMP_SLOT __printf_chk
006120c0 R_X86_64_JUMP_SLOT __memcpy_chk
006121c0 R_X86_64_JUMP_SLOT __stack_chk_fail
00612220 R_X86_64_JUMP_SLOT __sprintf_chk
000000612230 R_X86_64_JUMP_SLOT __snprintf_chk
--
Kees Cook
On Thu, Jan 01, 2009 at 10:50:49AM -0800, Kees Cook wrote:
> On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote:
> > While fixing one of the affected packages, I discovered that it was
> > using similarly problematic syntax to act as a strcat replacement of the
> &
egex changed.
So far, it's already caught new stuff. I'll post updated details once it
has finished.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
O
Changing your code to "sprintf" (since snprintf unfortunately tends to be
in the minority still), the output for the first changes to "FOOBAR".
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Sun, Dec 28, 2008 at 10:27:16AM +, Neil Williams wrote:
> On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook wrote:
> > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> > and some have Build-Depends on "hardening-wrapper", which enables this
&g
pile a file that
> matches? That would seem to have potential for reducing the number of
> false positives.
I'd really love that too -- I just don't know how to modify the compiler to
do it. :)
-Kees
--
Kees Cook@debian.org
--
To UNSUBSC
On Sun, Dec 28, 2008 at 01:51:45PM -0600, Steve Langasek wrote:
> On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> > samba
>
> Another false positive, AFAICS:
>
> $ pcregrep -rM 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
] http://sourceware.org/bugzilla/show_bug.cgi?id=7075
[3] http://article.gmane.org/gmane.linux.man/639
[4] http://people.ubuntu.com/~kees/sprintf-glibc/logs/
--
Kees Cook@debian.org
4g8
abiword
ace
adplug
afnix
afterstep
aqualung
arrayprobe
asterisk
to make Florian
> happy :)
Perhaps the best short-term solution would be to have the tool check the
LSB info and abort on non-Debian machines?
-Kees
[1] https://launchpad.net/ubuntu-cve-tracker/trunk
[2] http://people.ubuntu.com/~ubuntu-security/cve/open.html
--
Kees Cook
Ubuntu Security Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
dump. Appears they
> need a complete object file. What tool can disassemble
> this string?
I'm biased towards libdisasm's x86dis tool:
$ echo -e '\xb8\x12\x00\xcd\x10' | x86dis -r 0 5 -s att
B8 12 00 mov $0x0012, %ax
0003 CD 1
ckaging bits is limited to the Ubuntu-only "selinux"
package they created.
Anyway, I just wanted to give some background history for all of this.
I don't want to suggest anyone should take anyone else's packaging. :)
-Kees
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
o?
> But useful data nevertheless.[1]
>
> 1: I won't even begin to discuss how many times I see benchmarks
> without SEM or sd reported.
Heh, well I know of the ideas, but haven't had any practice actually
calculating them.
Thanks!
-Kees
--
Kees Cook
On Wed, Mar 05, 2008 at 10:16:52AM +0100, Pierre Habouzit wrote:
> On Wed, Mar 05, 2008 at 06:16:33AM +0000, Kees Cook wrote:
> > I finally got some time to run some benchmarks. I checked the results[1]
> > into the "hardening" svn tree, in case other people want to
hed into the noise.
-Kees
[1] http://svn.debian.org/wsvn/hardening/benchmarks/
[2] http://wiki.debian.org/Hardening
--
Kees Cook@outflux.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
or x86 and x86_64.
AFAIK, the similar RedHat and SuSE kernel patches also carry these
changes only for x86 and x86_64.
-Kees
[1]
http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-x86.git;a=history;f=arch/x86/kernel/sys_x86_64.c;hb=mm
--
Kees Cook
--
To UNSUBSCRIBE, email to [EMAI
all for making it as easy as possible to enable the flags. (Like I
said in the other thread: patches welcome.) I'd probably want it to be
"nohardening", making compiles hardened by default. :)
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
deployed bench, and before we go any further I'd like to
> see some numbers.
Does anyone have any good test harnesses we can try this on? I'd be
more than happy to run them on some modern hardware.
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Package: wnpp
Severity: wishlist
Owner: Kees Cook <[EMAIL PROTECTED]>
* Package name: libpoe-component-sslify-perl
Version : 0.08
Upstream Author : Apocalypse <[EMAIL PROTECTED]>
* URL : http://search.cpan.org/~apocal/POE-Component-SSLify-0.0
Package: wnpp
Severity: wishlist
Owner: Kees Cook <[EMAIL PROTECTED]>
* Package name: mythtvfs-fuse
Version : 0.5.0
Upstream Author : Kees Cook <[EMAIL PROTECTED]>
* URL : http://outflux.net/software/pkgs/mythtvfs-fuse/
* License : GPL
Program
Kees Cook <[EMAIL PROTECTED]> -----
From: Kees Cook <[EMAIL PROTECTED]>
To: debian-perl@lists.debian.org
Cc: Mike Mattice <[EMAIL PROTECTED]>, "Zak B. Elep" <[EMAIL PROTECTED]>
Subject: Re: RFS: libdevice-serialport-perl
Hello! This is a continuation of a thre
Package: wnpp
Severity: wishlist
Owner: Kees Cook <[EMAIL PROTECTED]>
* Package name: orbital-eunuchs-sniper
Version : 1.30+svn20060923
Upstream Author : Zachary J. Slater <[EMAIL PROTECTED]>
* URL : http://www.icculus.org/oes/
* License : zlib
Package: wnpp
Severity: wishlist
Owner: Kees Cook <[EMAIL PROTECTED]>
* Package name: mp3cd
Version : 1.25
Upstream Author : Kees Cook <[EMAIL PROTECTED]>
* URL : http://outflux.net/software/pkgs/mp3cd/
* License : GPL
Programming Lang: Perl
69 matches
Mail list logo
