GccSsp

Revision 4 as of 2006-06-14 12:58:25

Clear message

Summary

gcc 4.1 comes with SSP now, which is a nice technology to mitigate exploitability of many buffer overflows. This greatly enhances security in the time between publication of a vulnerability and the USN.

Edgy is a good opportunity to try it out for some particular packages and provide a parallel test archive with SSP enabled by default, so that we can thoroughly test it. If all goes well, we should enable it by default in edgy+1.

Rationale

Use cases

Scope

Design

Implementation

Code

Data preservation and migration

Outstanding issues

BoF agenda and discussion

Field research

The following dapper packages have been tested with SSP enabled (built with gcc-4.1 and -fstack-protector under edgy):

perl

ok

python

ok

apache2

ok

php5

ok

postgresql-8.1

ok on amd64/edgy, fail in sid/i386 due to obscure linking problem

firefox

FTBFS with gcc 4.1

mysql-dfsg-5.0

FTBFS with gcc 4.1

glib2.0

gtk+2.0

glibc


CategorySpec