So everything in Rawhide must be compiled with -fPIC?
Reindl Harald
h.reindl at thelounge.net
Fri Feb 20 17:26:47 UTC 2015
Am 20.02.2015 um 18:21 schrieb Peter Robinson:
>>> I've never argumented against the goal that web browser or all network aware
>>> services should be PIEs, after all, why would we (Ulrich Drepper and myself)
>>> add the PIE support into the toolchain otherwise?
>>> I'm just not convinced most of the unpriviledged programs should be PIEs.
>>
>> Thanks to e.g. e-mail about any program can be made to run untrusted
>> data, e.g. PDF readers, office suites, image viewers, if you open an
>> attachment of the respective type. Therefore it makes a sane default
>> IMHO. It is also something to attract users that care about security
>> very much to Fedora.
>
> So your saying here that this is miraculously going to stop people
> from running random binaries that are being emailed to them?
nobody said that
but it may stop a otherwise successful exploit in the application
opening the malicious attachment targeting a unknown or unfixed security
hole
> just going stop people from running random non PIC/PIE binaries? I
> don't buy that this is a miracle fix to that problem. How then does it
> affect other third party binaries not compiled with PIC/PIE that
> people might wish to run?
you can't fix and protect every binary on the world
but you can raise the bar for distribution packages
without PIC/PIE ASLR won't work
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150220/ceda611f/attachment.sig>
More information about the devel
mailing list