[ubuntu-hardened] Build of flashplugin-nonfree in Ubuntu 12.04 LTS Release.
Kees Cook
kees at ubuntu.com
Thu Dec 31 18:37:08 UTC 2015
It appears to be built using Red Hat's gcc:
$ strings -a /usr/lib/flashplugin-installer/libflashplayer.so | grep -i gcc
| sort | uniq -c
1 .gcc_except_table
1241 GCC: (GNU) 4.3.2
54 GCC: (GNU) 4.3.2 20081105 (Red Hat 4.3.2-7)
1 GCC: (Ubuntu 4.4.3-4ubuntu5) 4.4.3
So it does not benefit from Ubuntu's default compiler flags. It does appear
to be built with at least -fstack-protector, though:
$ objdump -d /usr/lib/flashplugin-installer/libflashplayer.so | grep
stack_chk | wc -l
17
But why do this the hard way, let's ask "hardening-check" instead:
$ hardening-check /usr/lib/flashplugin-installer/libflashplayer.so
/usr/lib/flashplugin-installer/libflashplayer.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
It's not built with -D_FORTIFY_SOURCE=2, nor RELRO, nor BIND_NOW.
Thought it's at least correctly build with the GNU_STACK non-executable
header:
$ readelf -lW /usr/lib/flashplugin-installer/libflashplayer.so | grep GNU_STACK
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x8
"RW" not "RWE".
-Kees
On Thu, Dec 31, 2015 at 02:29:18PM +0100, daniel curtis wrote:
> Hi.
>
> I have only one question regarding to the flashplugin-nonfree package.
> According to a build log[1], there is not any CFLAGS,
> CPPFLAGS, CXXFLAGS etc., exported from a dpkg-buildflags,
> right? I mean, for example, `-fstack-protector`, `-Wl,z,relro`
> or `-D_FORTIFY_SOURCE, to name a few.
>
> I'm asking, because mentioned dpkg-buildflag exports, could
> reduce the possible areas that can be used by an attacker, to
> perform a successful attack etc. Is the flashplugin-nonfree
> package built with a hardened flags? What a naive question...
>
> Maybe I'm wrong and the flashplugin-nonfree package is already
> protected with at least one of the mentioned method. So, what is
> an answer? Or maybe I misunderstood something? (e.g. build
> process etc.)
>
> Best regards.
> _____________
> [1]
> https://launchpadlibrarian.net/232146187/buildlog_ubuntu-precise-i386.flashplugin-nonfree_11.2.202.559ubuntu0.12.04.1_BUILDING.txt.gz
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
--
Kees Cook
More information about the ubuntu-hardened
mailing list