From 9d86bf2af699480f999e5ccc6dc882bdca098a76 Mon Sep 17 00:00:00 2001 From: Alain Date: Thu, 13 Oct 2016 12:38:07 +0200 Subject: [PATCH 1/3] Enhance security using stack protector and -D_FORTIFY_SOURCE --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 5d633a7..f5fd37f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -22,7 +22,7 @@ datarootdir=@datarootdir@ localedir=@localedir@ gettext_package=@GETTEXT_PACKAGE@ -CFLAGS=@CFLAGS@ @PURPLE_CFLAGS@ @DEFS@ -DENABLE_NLS -DLOCALEDIR='"$(localedir)"' -Wall -Wextra -Wno-deprecated-declarations -Wno-unused-parameter -I${srcdir} -I. -fno-strict-aliasing -fPIC +CFLAGS=@CFLAGS@ @PURPLE_CFLAGS@ @DEFS@ -DENABLE_NLS -DLOCALEDIR='"$(localedir)"' -Wall -Wextra -Wno-deprecated-declarations -Wno-unused-parameter -I${srcdir} -I. -fno-strict-aliasing -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 LDFLAGS=@LDFLAGS@ @OPENSSL_LIBS@ @PURPLE_LIBS@ @LIBS@ -rdynamic -ggdb DIR_PERM=0755 FILE_PERM=0644 From 0d0a2cbbd7905f9055346722b6a91133330f38dc Mon Sep 17 00:00:00 2001 From: Alain Date: Thu, 13 Oct 2016 13:48:06 +0200 Subject: [PATCH 2/3] Check if gcc >= 5.0 before enabling stack smashing protection --- Makefile.in | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index f5fd37f..4bb350f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -22,7 +22,7 @@ datarootdir=@datarootdir@ localedir=@localedir@ gettext_package=@GETTEXT_PACKAGE@ -CFLAGS=@CFLAGS@ @PURPLE_CFLAGS@ @DEFS@ -DENABLE_NLS -DLOCALEDIR='"$(localedir)"' -Wall -Wextra -Wno-deprecated-declarations -Wno-unused-parameter -I${srcdir} -I. -fno-strict-aliasing -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=2 +CFLAGS=@CFLAGS@ @PURPLE_CFLAGS@ @DEFS@ -DENABLE_NLS -DLOCALEDIR='"$(localedir)"' -Wall -Wextra -Wno-deprecated-declarations -Wno-unused-parameter -I${srcdir} -I. -fno-strict-aliasing -fPIC -D_FORTIFY_SOURCE=2 LDFLAGS=@LDFLAGS@ @OPENSSL_LIBS@ @PURPLE_LIBS@ @LIBS@ -rdynamic -ggdb DIR_PERM=0755 FILE_PERM=0644 @@ -31,6 +31,14 @@ CC=@CC@ PKG_CONFIG=@PKG_CONFIG@ MSGFMT_PATH=@MSGFMT_PATH@ +# Check if GCC >= 5.0 before enabling stack smashing protection +ifeq "$(CC)" "gcc" +GCCVERGEQ5 := $(shell expr `$(CC) -dumpversion | cut -f1 -d.` \>= 5) +ifeq "$(GCCVERGEQ5)" "1" + CFLAGS += -fstack-protector-strong +endif +endif + DEP=dep EXE=bin OBJ=objs From ab7dcb8ee6ca9d5adcc5f1aa757dad9b4ba579b5 Mon Sep 17 00:00:00 2001 From: Alain Date: Thu, 13 Oct 2016 15:41:22 +0200 Subject: [PATCH 3/3] Changed check if -fstack-protector-strong is supported --- Makefile.in | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Makefile.in b/Makefile.in index 4bb350f..e3ebd84 100644 --- a/Makefile.in +++ b/Makefile.in @@ -31,13 +31,11 @@ CC=@CC@ PKG_CONFIG=@PKG_CONFIG@ MSGFMT_PATH=@MSGFMT_PATH@ -# Check if GCC >= 5.0 before enabling stack smashing protection -ifeq "$(CC)" "gcc" -GCCVERGEQ5 := $(shell expr `$(CC) -dumpversion | cut -f1 -d.` \>= 5) -ifeq "$(GCCVERGEQ5)" "1" +# Check if -fstack-protector-strong is supported before enabling it +SPUNSUPPORTED = $(shell $(CC) -fstack-protector-strong 2>&1 | grep -c 'stack-protector-strong') +ifeq "$(SPUNSUPPORTED)" "0" CFLAGS += -fstack-protector-strong endif -endif DEP=dep EXE=bin