[tor-bugs] #5210 [Tor Client]: Enable gcc and ld hardening by default in 0.2.3.x

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Mar 14 22:46:42 UTC 2012 

#5210: Enable gcc and ld hardening by default in 0.2.3.x
------------------------+---------------------------------------------------
 Reporter:  ioerror     |          Owner:  ioerror           
     Type:  defect      |         Status:  new               
 Priority:  major       |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Client  |        Version:                    
 Keywords:  security    |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by arma):

 nextgens gives us this patch:
 {{{
 diff --git a/changes/bug5210 b/changes/bug5210
 new file mode 100644
 index 0000000..b07e7f1
 --- /dev/null
 +++ b/changes/bug5210
 @@ -0,0 +1,2 @@
 +  o Security fixes:
 +    - Enable gcc and ld hardening by default. Fixes bug 5210.
 diff --git a/configure.in b/configure.in
 index 7415ce8..23dcc07 100644
 --- a/configure.in
 +++ b/configure.in
 @@ -122,19 +122,23 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
  dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on
 Windows
  dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
  AC_ARG_ENABLE(gcc-hardening,
 -     AS_HELP_STRING(--enable-gcc-hardening, enable compiler security
 checks),
 +    AS_HELP_STRING(--disable-gcc-hardening, disable compiler security
 checks),
 +    [enableval=no;],
 +    [enableval=yes;])
  [if test x$enableval = xyes; then
      CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
      CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
      CFLAGS="$CFLAGS --param ssp-buffer-size=1"
      LDFLAGS="$LDFLAGS -pie"
 -fi])
 +fi]

  dnl Linker hardening options
  dnl Currently these options are ELF specific - you can't use this with
 MacOSX
  AC_ARG_ENABLE(linker-hardening,
 -        AS_HELP_STRING(--enable-linker-hardening, enable linker security
 fixups
 -[if test x$enableval = xyes; then
 +    AS_HELP_STRING(--disable-linker-hardening, disable linker security
 fixups),
 +    [enableval=no;],
 +    [enableval=yes;])
 +AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then
      LDFLAGS="$LDFLAGS -z relro -z now"
  fi])
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5210#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list