F22 System Wide Change: Harden all packages with position-independent code

[Moez Roy]

On Wed, Jan 7, 2015 at 5:30 AM, Josh Boyer <jwboyer at fedoraproject.org>
wrote:

>
> We just went over something very much like this for x86_64 packages
> with FESCo ticket 1113:
>
> https://fedorahosted.org/fesco/ticket/1113
>
> Could you perhaps review that and elaborate on the differences between
> that proposal and this one if there are any?  Additionally, could you
> cover any of the concerns listed there that apply to this proposal?
>
> josh
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


​Hi Josh,

That ticket is over 20 months old. It was discussed at time when Fedora 19
was in beta stage. I believe alot has changed since then.

Since Fedora 20 pre-link is already disabled by default.

The security landscape has changed. With the major publicity from
Heartbleed and ShellShock, I believe more people are now security conscious
than before. Hopefully, they will understand the need for compromise in
system performance in order to protect the system from being exploited.

For example: here
http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html
(CVE-2014-8485) it states "Many Linux distributions ship *strings* without
ASLR, making potential attacks easier and more reliable - a situation
reminiscent of one of the recent bugs in *bash*."
Which links here:
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
(CVE-2014-6277) and (CVE-2014-6278) and states "The issue is also made
worse by the fact that only relatively few distributions were building bash
as a position-independent executable that could be fully protected by ASLR."

-Moez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150107/3b11f771/attachment.html>