[Fedora-packaging] RFC mass bug reporting: checksec failures
Adam Jackson
ajax at redhat.com
Thu Sep 17 13:31:53 UTC 2015
On Thu, 2015-09-17 at 12:00 +0100, Steve Grubb wrote:
> Also, the full RELRO thing is a bit oversold. You need it if the
> executable is PIE, and that's not needed in the general case. There are
> far worse problems that are easy to fix that are not getting attention.
> With the RELRO thing, you already have to have an exploit that allows
> writing arbitrary memory under attacker control. Most vulnerabilities
> just don't have this quality about them.
Honestly the security benefits are a sideshow to me. Full relro and
eager binding means that C's const keyword actually works. That alone
justifies the effort to me.
> What is more important is preventing common vulnerabilities from
> achieving control over execution with simple heap and stack corruption
> bugs. Hopefully we can start addressing this in F24.
I look forward to your patches.
- ajax
More information about the devel
mailing list