On Mon, Jun 28, 2004 at 07:41:23PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> Actually, I would be interested in including that in the Debian Security
> Manual, if you send me the writeup and scripts I will try to format it
> properly and add it there.
This is the small writeup that I gave out to Paul earlier today,
it'll need some reworking to fit into the HOWTO.
I did wonder previously if I should file an ITP for debian-builder,
I'm not sure how useful it is...
----
Rebuilding packages with SSP protection is a pretty simple
process with all the right software installed.
Currently you need three things:
1. SSP Enabled GCC.
This should be pretty obvious! This compiler will give you
the ability to compile software with the additional protection
included if you add '-fstack-protector' to your command line.
2. wrap-gcc
This is a small package which I wrote, using Debian's diversions
system. It is a wrapper around GCC which transparently adds the
'-fstack-protector' flag to all compilations. With this installed
and the compiler you get stack protection without any effort.
3. debian-builder
This is another Perl script which I wrote which is actually capable
of building a package from source. Invoke it as 'debian-builder foo'
and the source to the package 'foo' will be downloaded, as well as
any packages which are necessary for 'foo' to be rebuilt. Then the
version number has 'ssp' appended to it, and it is built. Afterwards
any packages which were added to your system are removed.
Installing these packages is simple enough. Add the following to your
/etc/apt/sources.list file:
#
# SSP Stuff
#
deb http://people.debian.org/~skx/apt/unstable ./
deb-src http://people.debian.org/~skx/apt/unstable ./
Run 'apt-get update' then 'apt-get upgrade'. This will install the
compiler. (I generally update the packages there within a couple of
days of a new GCC-3.3.x release to unstable).
After that run 'apt-get install debian-builder wrap-gcc' and
you're all set.
To rebuild, say ssh, invoke:
debian-builder --verbose ssh
The compiled packages will be located in /var/cache/debian-builder/deb and
can be installed from there. To test that this has worked you may use
a command like this:
skx@undecided:~$ strings /usr/bin/ssh|grep -i stack
: stack smashing attack in function
Assuming that everything is setup you will see the 'smashing attack'
string, and all is well.
Once that is done you can look at rebuilding bigger packages, such as
Mozilla, perl, etc.
There are some scripts included in /usr/share/doc/debian-builder/examples
which may prove useful. For exampl you will find 'buildFullyPackage'
which will rebuild the named package _and_ the runtime dependencies
which it requires.
This doesn't yet happen recursively, but that would be trivial to
add. It's also pretty simple but it should avoid rebuilding things which
have already been compiled.
If anybody is doing this I'd strongly suggest you either have a
fast link to a Debian mirror, or an aggressively caching proxy server..
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
|
