Mailinglist Archive: opensuse-packaging (75 mails)

< Previous Next >
Re: [opensuse-packaging] Lightweight buffer overflow handling in 10.0 / Factory
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Fri, 13 Jan 2006 10:15:57 +0100
  • Message-id: <200601131015.57297.adrian@xxxxxxx>
Am Freitag, 13. Januar 2006 00:06 schrieb Pascal Bleser:
> Marcus Meissner wrote:
> > Introduced with 10.0 snapshot 2 we are now using "-D_FORTIFY_SOURCE=2" as
> > default in the RPM_OPT_FLAGS.
>
> Yes, that GCC feature already has been helpful in a few cases (to sort out
> e.g. double memory deallocation).
>
> > We have fixed all problems we found in the buildsystem already.
>
> ?

means all packages in factory got fixed.

> > Packager TODOs:
> > ===============
> > However, this requires the following from you:
> > * Make sure that strcpy, memcpy and friends are not implicitly defined.
> > If you see this warning:
> > "implicit declaration of function #strcpy#"
> > it will not detect those simple buffer overflows.
> > To fix such cases, include the standard header: <string.h>
> > (for *printf warnings, <stdio.h>)
>
> Thanks for that information, I'll try to fix them all from now on.
> Sometimes I do, sometimes I don't, depends on the number (and the time I
> have ;)). I'll do my best to fix them all from now on.
> Hopefully upstream will pick up the patches.
>
> Could it be possible to have a "packager corner" on the opensuse wiki and
> post stuff like that over there ? Would be helpful when we submit patches
> to upstream, we can give them a link to your explanation, which should give
> some weight to the patches ;)

There is already the package howto, this could maybe added there.

> > The logfile seperated by maintainer is in: <internalpath>
> > the full warnings logfile is at <internalpath>
>
> What is <internalpath> ? *grin* ;)

because Marcus is the security hero ;)

bye
adrian

--

Adrian Schroeter
SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
email: adrian@xxxxxxx


< Previous Next >
Follow Ups