robert at linuxfromscratch.org
Tue Aug 8 01:21:47 PDT 2006
Hi. Owl/Openwall have a large assortment of security related patches for just
about every package.
For starters Owl has a patch for Gzip which cleans up the gzexe.in and
zdiff.in shell scripts. For example, the vanilla Gzip does not remove
tempfiles it created if gzip fails to decompress a file, the Owl patch
removes the temp file before exiting the script if gzip fails. /bin/mktemp is
added to the gzip scripts by the patch too, rather than using non-random temp
files. Our mktemp is installed to /usr/bin, so either move mktemp to /bin or
adjust the patch. There are a couple other modifications too. The name of the
patch is "gzip-1.3.5-openbsd-owl-tmp.patch" if any of you want to take a look
at it. It's not a critical patch, but I think it would be a good idea to add
it to the book.
There's patch for Glibc named "glibc-2.3.5-owl-alt-sanitize-env.diff". This
patch does aggressive sterilization of the environment while running programs
linked to libc. This patch is half-critical. This patch helps prevent
environment based exploits. Ncurses has a patch to use the new functions
added by the sanitize-env patch.
Another Glibc patch, "glibc-2.3.5-openbsd-strlcpy-strlcat.diff", adds safer
replacements to strncpy and strncat. Drepper and Linus have both commented on
the strlcpy and strlcat functions. Drepper does not think they're suitable
for Glibc because programmers should use strncpy and strncat properly. Linus
has added strlcpy and strlcat functions to the kernel libraries. Having the
attitude of 'it's better to be safe than sorry', it would be good to use
these functions. These functions help prevent buffer overflows. Many packages
check for strncpy and strncat during configure to see if they can be used.
There are also several other Glibc patches that are worth adding to HLFS, not
to mention the blowfish crypt functions. And several patches to correct GCC
warnings in some packages.
Off topic: From what I gather mktemp is used in Binutils because its
portable... every system has mktemp. There are a couple patches on google
which add mkdtemp/mkstemp to Binutils to not only remove the compiler
warnings, but also use better temp filenames.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev