[OTR-dev] Fwd: DEP and ASLR on Windows don't appear to be really enabled in the 4.0.0 pidgin-otr release
Ian Goldberg
ian at cypherpunks.ca
Sat Sep 8 18:04:04 EDT 2012
On Sat, Sep 08, 2012 at 12:19:12PM -0400, Daniel Atallah wrote:
> Ian, It looks like this message didn't make it to the list (perhaps
> stuck in a moderation queue or something?).
Due to spam, messages from non-subscribers just get discarded, lest I
have to wade through hundreds a day, I'm afraid. :-(
> ---------- Forwarded message ----------
> From: Daniel Atallah <datallah at pidgin.im>
> Date: Thu, Sep 6, 2012 at 12:58 PM
> Subject: DEP and ASLR on Windows don't appear to be really enabled in
> the 4.0.0 pidgin-otr release
> To: otr-dev at lists.cypherpunks.ca
>
>
> Folks,
>
> I was pointed at the recent changes that were made to the windows
> build to enable DEP and ASLR, in relation to getting similar changes
> made to the Pidgin build.
>
> I noticed that when using the settings as they are in the pidgin-otr
> source, the DEP and ASLR header flags were not set on binaries; this
> is because the --dynamicbase and --nxcompat were only passed to the
> compiler and not to the linker ( -Wl,--dynamicbase -Wl,--nxcompat).
>
> I just checked the pidgin-otr binaries that are being distributed and
> it looks like they have the same problem, neither the pidgin-otr.dll,
> nor the various executables that are installed in the
> %PROGRAMFILES%\pidgin-otr directory have header flags set (with the
> end effect that ASLR will not be used (the impact of the DEP flag
> depends on the OS configuration)).
Indeed, the libotr configure script is outputting:
checking whether the linker accepts --dynamicbase... no
checking whether the linker accepts --nxcompat... no
Because of:
configure:11155: i586-mingw32msvc-gcc -o conftest.exe -g -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector -fwrapv -fno-strict-overflow -Wall -Wextra -Wno-unused-parameter -Wformat-security --param ssp-buffer-size=1 -pedantic -Werror -pie --dynamicbase conftest.c -lgcrypt >&5
cc1: error: unrecognized command line option "-fdynamicbase"
The configure.ac says:
OTR_CHECK_LDFLAGS(--dynamicbase, "$all_ldflags_for_check", "$all_libs_for_check")
So it's failing trying to add --dynamicbase to LDFLAGS, because the
LDFLAGS actually get passed to gcc.
Jake, didn't you copy this from the Tor hardening? Do they not have
this issue? (Ah, I believe I remember Tor actually builds *on* win32,
whereas we're cross-compiling. Could that be the difference?)
Better question: I can't seem to get m4 to accept `-Wl,--dynamicbase' as
the first argument above. I'm definitely not an autoconf expert,
though. Does anyone know how to get that comma properly escaped?
Similarly, the pidgin-otr Makefile.mingw uses just --dynamicbase and
--nxcompat, not -Wl,--dynamicbase and -Wl,--nxcompat (and not in the
compile lines at all). But that's straightforward to fix, as no
autoconfing is involved. Should they be passed to both the compiler and
linker, or just the linker?
Thanks,
- Ian
More information about the OTR-dev
mailing list