On Tuesday, January 11, 2022 7:00:22 PM CET Steve Grubb wrote:
Hello,
On Wednesday, January 5, 2022 5:05:26 PM EST Ben Cotton wrote:
>
https://fedoraproject.org/wiki/Changes/GNUToolchainF36
>
> == Summary ==
> Update the Fedora 36 GNU Toolchain to gcc 12 and glibc 2.35.
>
> The gcc 12 is currently under development and will be included in
> Fedora 36 upon release. The glibc 2.35 change will be tracked in this
> top-level GNU Toolchain system-wide update.
Reading through the GCC 12 changes, there is a significant new feature to
GCC
that would appear to be useful for security. There is a new:
-ftrivial-auto-var-init=zero
flag that initializes all stack variables to zero. Zero being a nice safe
value that makes programs crash instead of being exploitable.
Are there plans to enable this flag so that all applications, but more
importantly the kernel, are hardened against uninitialized stack variables?
This is one of the major classes of security bugs that could potentially
be eliminated during this mass rebuild.
I don't know if it is still the case, but OpenSSL used uninitialized stack
variables on purpose! If you initialize them to zero might end up with the
same disaster as Debian had some years ago!
https://www.debian.org/security/2008/dsa-1571
There be dragons!