PIE-compiled packages uploaded
Kees Cook
kees at ubuntu.com
Tue Aug 26 00:14:24 BST 2008
Based on a list[1] of various packages that the Security Team thought it might
make sense to add more protections to, I have now uploaded the following
packages with PIE compilation enabled (via the hardening-wrapper[2]
Build-Dep):
apache2
mysql-dfsg-5.0
bind9
openldap
postfix
samba
dovecot
dhcp3
postgresql-8.3
I haven't seen any problems in my testing so far, but I wanted to call
attention to this change, since it's the first bulk PIE build changes
we've made. (This package list joins openssh and avahi, which are
already built "natively" with PIE, and quagga which uses the wrapper in
Debian already.)
If there are other packages that make sense to do this for, please feel
free to do it and add them to the wiki list. Note that there is some
performance loss on i386 which is why this option is not on by default.
Thanks,
-Kees
[1] https://wiki.ubuntu.com/Security/HardeningWrapper#targets
[2] http://wiki.debian.org/Hardening
Note that all the other options besides PIE are already enabled
in Intrepid via the compiler defaults:
https://wiki.ubuntu.com/CompilerFlags
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list