[cgl_discussion] Re: Buffer overflow

Mika Kukkonen mika at osdl.org
Thu Apr 24 09:24:40 PDT 2003


On Thu, 2003-04-24 at 08:57, Greg KH wrote:
> On Thu, Apr 24, 2003 at 08:22:05AM -0700, Mika Kukkonen wrote:
> > On Wed, 2003-04-23 at 17:23, Greg KH wrote:
> > (...)
> > > And there's things like the StackGuard or ProPolice gcc patches that
> > > might be better to point people at.  However, that's not a kernel
> > > patch/feature, so would not fall under the CGL spec :)
(...)
> Ok then, why not specify a specific version of gcc (like the above
> mentioned versions) if you all really want to worry about something like
> this?

AFAIK some distros already ship with their own modified version of gcc same
way as they ship with their own modified version of Linux kernel, and from
CGL viewpoint this is OK (we do aim to get 99% of our features into mainline
kernel/gcc, but sometimes that takes a loooong time, or never because of
non-technical issues).

So if our security people feel like adding a generic requirement like
"CGL C-complier should provide the option to compile applications with
StackGuard/ProPolice", I do not have an issue with it.

But I do think this kind of additional checking (which always comes with
price tag on performance) should be optional, with the actual decision of
whether to use it or not left to the distros and their customers. Hence
the word "optional" in my example above.

Makan/Stefano, any thoughts?

--MiKu





More information about the cgl_discussion mailing list