commit 62f3121a3d209fb4f826988d53b1aac93842502c Author: Florent Daigniere nextgens@freenetproject.org Date: Thu Mar 15 10:02:30 2012 +0000
fix for bug #5210: enable GCC and LD hardening by default --- changes/bug5210 | 2 ++ configure.in | 12 ++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/changes/bug5210 b/changes/bug5210 new file mode 100644 index 0000000..b07e7f1 --- /dev/null +++ b/changes/bug5210 @@ -0,0 +1,2 @@ + o Security fixes: + - Enable gcc and ld hardening by default. Fixes bug 5210. diff --git a/configure.in b/configure.in index 7415ce8..4a3ed0e 100644 --- a/configure.in +++ b/configure.in @@ -122,19 +122,23 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, - AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks), + AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks), + [], + [enableval=yes;]) [if test x$enableval = xyes; then CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" CFLAGS="$CFLAGS --param ssp-buffer-size=1" LDFLAGS="$LDFLAGS -pie" -fi]) +fi]
dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, - AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups), -[if test x$enableval = xyes; then + AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups), + [], + [enableval=yes;]) +AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then LDFLAGS="$LDFLAGS -z relro -z now" fi])