Date: Thu, 19 May 2011 00:45:23 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Multiple libraries privilege checking On Tue, May 17, 2011 at 01:18:33PM +0200, Sebastian Krahmer wrote: > I uploaded a openssl-1.0.0d patch to > > http://suse.de/~krahmer/libs-vs-fscaps Thank you! > The prefered way is to check the dumpable flag via prctl() which > is detected by the config script. This is fail-open (at build time). If the -e "/usr/include/sys/prctl.h" check somehow fails, we silently get an insecure build. Of course, risks of this nature are extremely common, but we're trying to deal with them. In our package of rpm, we have the configure-presets script, which looks like: #!/bin/sh # These autoconf variables are predefined to harden configure checks for # security sensitive functions, and to speedup configure checks for # most popular functions. export ac_cv_func_alloca=yes export ac_cv_func_asprintf=yes export ac_cv_func_atexit=yes export ac_cv_func_bcopy=yes export ac_cv_func_dcgettext=yes export ac_cv_func_fchdir=yes ... export ac_cv_func_utimes=yes export ac_cv_func_vasprintf=yes export ac_cv_func_vfork=yes export ac_cv_func_vprintf=yes export ac_cv_func_vsnprintf=yes export ac_cv_func_waitpid=yes export ac_cv_func_wcslen=yes export ac_cv_func_wcwidth=yes This script is sourced in our %___build_pre macro. Maybe you should simply drop the -e "/usr/include/sys/prctl.h" check, leaving only the $target =~ /^linux/i check? Thanks again, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.