[ubuntu-hardened] Probably not in time for Hardy, but just maybe...

Jeff Schroeder jeffschroed at gmail.com
Thu Mar 27 23:27:58 GMT 2008

On Thu, Mar 27, 2008 at 3:58 PM, Kees Cook <kees at ubuntu.com> wrote:
> On Thu, Mar 27, 2008 at 03:44:25PM -0700, Jeff Schroeder wrote:
>  > A little security never hurt anyone. If memory serves, these make ASLR
>  > pretty much complete in Linux. Now you don't need to use PaX for ASLR
>  > anymore.
>  >
>  > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cc503c1b43e002e3f1fed70f46d947e2bf349bb6
>  This is already in Hardy[1] -- I made sure of it.  Note that to use it,
>  you need to have a PIE-compiled application to start with (same was true
>  for PaX).  We don't have a lot of those, but we do have some in Hardy
>  (ssh and dbus, AFAIR).
>  > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c1d171a002942ea2d93b4fbd0c9583c56fce0772
>  This would have been nice to have, except that Jiri already went several
>  rounds with the PIE patches (for which I was doing testing) that had
>  various regressions, that I didn't want to introduce the brk offset
>  randomization too.  This will be in intrepid though, and hopefully with
>  PIE builds by default we'll be totally done.  :):)
>  -Kees
>  [1] http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/
Even better!

Is there a sane way to get the compile flags without having every
single source archive in the repository to see what is PIE and whats

Is avahi on that list? Even with a chroot, it worries me that it is
installed and listening by default.

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-hardened mailing list