[exim] Stack protection

Startseite
Diese Nachricht ist Teil des folgenden Threads:
MDer komplette Thread sortiert nach Datum
 
 
Nachricht löschen
Nachricht beantworten
Autor: Neil Youngman
Datum:  
To: exim-users
Betreff: [exim] Stack protection
Given that we can't guarantee that Exim contains no further bugs enabling stack overflows, I wondered if it would be wise to add stack protection to the default build?

In Linux this would appear to be a simple case of adding -fstack-protector-all (or -fstack-protector) to CFLAGS in OS/Makefile-Linux

CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fstack-protector-all

The obvious drawback is that older systems do not support this (I believe it requires at least gcc 4.1). It may also have performance implications or other subtler drawbacks of which I am not aware.

Is there any experience on the list of this?

Is it a good idea?

Are there other similar measures we could take to increase the resilience of the default build to potential exploits?

Neil Youngman
Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-Re: [exim] Handling addresses with apostropheRe: [exim] retry times->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)