Bug#613763: totem: enable security hardening in build via hardening-wrapper

Kees Cook kees at debian.org
Thu Feb 17 19:17:43 UTC 2011


Hi Sebastian,

On Thu, Feb 17, 2011 at 09:09:21AM +0100, Sebastian Dröge wrote:
> On Wed, 2011-02-16 at 17:15 -0800, Kees Cook wrote:
> > Since totem deals with media files, it should be hardened against potential
> > malicious attacks. This patch enables the hardening features in the toolchain.
> 
> Not sure how useful this is when applied to totem only. Totem uses other
> libraries to handle with media files and playlists.

Right, so to avoid the totem binaries having their .text regions being
usable as a ROP target, it's best to fully PIE the build so that every
aspect of the binary has been ASLRed.

(Talk about acronym soup, sorry about that; links below if anyone needs
pointers.)

Each library can certainly gain hardening options as well. This bug is
specifically about totem binaries themselves.

-Kees

http://en.wikipedia.org/wiki/Return-oriented_programming
http://en.wikipedia.org/wiki/Position-independent_code#Position-independent_executables
http://en.wikipedia.org/wiki/ASLR

-- 
Kees Cook                                            @debian.org






More information about the pkg-gnome-maintainers mailing list