[FreeBSD-Ports-Announce] [CFT/HEADSUP] Ports now have Stack Protector support

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[FreeBSD-Ports-Announce] [CFT/HEADSUP] Ports now have Stack Protector support

Bryan Drewery-6
Ports now support enabling Stack Protector [1] support on FreeBSD 10
i386 and amd64, and older releases on amd64 only currently.

Support may be added for earlier i386 releases once all ports properly
respect LDFLAGS.

To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports.

The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
may optionally be set instead.

Please help test this on your system. We would like to eventually enable
this by default, but need to identify any major ports that have run-time
issues due to it.

[1] https://en.wikipedia.org/wiki/Buffer_overflow_protection

--
Regards,
Bryan Drewery






signature.asc (917 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[FreeBSD-Ports-Announce] [CFT] SSP Package Repository available

Bryan Drewery-6
On 9/21/2013 5:49 AM, Bryan Drewery wrote:

> Ports now support enabling Stack Protector [1] support on FreeBSD 10
> i386 and amd64, and older releases on amd64 only currently.
>
> Support may be added for earlier i386 releases once all ports properly
> respect LDFLAGS.
>
> To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports.
>
> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
> may optionally be set instead.
>
> Please help test this on your system. We would like to eventually enable
> this by default, but need to identify any major ports that have run-time
> issues due to it.
>
> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
>
We have not had any feedback on this yet and want to get it enabled by
default for ports and packages.

We now have a repository that you can use rather than the default to
help test. We need your help to identify any issues before switching the
default.

This repository is available for:

head
10.0
9.1,9.2,9.3

It is not available for 8.4. If someone is willing to test on 8.4 I will
build a repository for it.

Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf:

FreeBSD: { enabled: no }
FreeBSD_ssp: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

Once that is done you should force reinstall packages from this repository:

  pkg update
  pkg upgrade -f

Thanks for your help!
Bryan Drewery
On behalf of portmgr.


signature.asc (499 bytes) Download Attachment