Review a fix for OpenSSL3 CVE
Joshua Root
jmr at macports.org
Thu Nov 3 03:43:46 UTC 2022
On 2022-11-3 06:56 , Clemens Lang wrote:
> Speaking of this CVE… we don't actually build with the common set of
> security flags in MacPorts, do we? We should probably look into getting
> the common set -fstack-protector-strong -fstack-clash-protection -fPIE
> (probably not required on modern macOS?) -D_FORTIFY_SOURCE=3
> -fcf-protection=full (on x86_64) and maybe -Wl,-bind_at_load
> -Wl,-read_only_stubs.
>
> Does anybody have a good overview of what the recommended set of
> security compiler flags is on macOS? Quick testing suggests everything
> but -fstack-protector-strong and -D_FORTIFY_SOURCE is already on by
> default.
_FORTIFY_SOURCE is also on by default since 10.6.
<https://github.com/apple-oss-distributions/Libc/blob/7380dc7cf0fc04550c72f34d38088b4db8668f40/include/_types.h#L60-L66>
Though that's set to 2 not 3, it looks like setting it to anything
higher than 2 does nothing extra in libc at least.
Apple has generally been pretty good about enabling these hardening
measures. The difficult work would be figuring out on which OS and Xcode
versions these options can be used and are not already enabled.
- Josh
More information about the macports-dev
mailing list